Risk management is difficult enough then we go to cyberspace and the complexity becomes exponential. I’m going to provide a super short description of cybersecurity risk management methods. There are four key methods of risk management in cybersecurity. They are risk avoidance, risk mitigation, risk transference, and risk acceptance. Like all things in the cyber realm, there are trade-offs for each of these options. An organization must determine which method or set of sets will work best for them. These should also be reviewed periodically as an organization’s structure and needs change.
Risk avoidance is the intentional nonparticipation in activities deemed to have more potential cost than possible gain. Many of these are quite simple to identify and often include things like prohibiting explosives on the premises or no smoking in areas with flammable gasses. Risk avoidance all but eliminates the possibility of a particular event occurring.
Risk mitigation requires more effort than avoidance. Mitigation is making efforts to reduce the likelihood of a particular event taking place or to reduce the impact of the event should it occur. Mitigation is often used in conjunction with other types of risk management. It is not uncommon for cyber insurance rates to be reduced if steps are taken to mitigate risk. Risk mitigation includes things like putting up signs reminding people of rules and procedures and having a requirement for new passwords every 90 days. Neither of these steps eliminates risk, however, they reduce the likely impact of a bad event.
Risk transference shifts the responsibility of risk to a third party. The most common example of this is insurance. We all have insurance of some type. Insurance commercials run frequently on radio, television, and online. Insurance is part of our everyday lives. Insurance companies have developed cybersecurity policies to address the constant barrage of cyber threats. Organizations pay a monthly premium to their insurance company. The insurance company puts those funds in an account and accumulate over time. In the event of a cyber attack, the accumulated funds are used to pay for the damages incurred.
Risk acceptance is recognizing that an event with a negative impact is likely to occur, but that the cost would be so little that it is absorbable. We all have plenty of events in our daily lives that we accept the risk for. If we drive our cars after the fuel light comes on, we run the risk of running out of gas. If we don’t immediately put more gas in the tank, we are accepting the risk of running out of gas.
An organization may use a combination of the risk management methods. It may choose avoidance for some risks, a combination of risk mitigation and transference for others, and risk acceptance for the rest.
Comments