Risk Response Strategies

There are many ways to respond to risk. Risks can be accepted, mitigated, avoided, and transferred.

Learning Objectives

You should be able to describe the following terms precisely:

• Vulnerability
• Threat
• Exploit

You should be able to describe different risk responses:

• Accept
• Mitigate
• Avoid
• Transfer

Vulnerabilities and Threats

In a threat assessment, an organization will identify potential vulnerabilities and threats that could harm assets. The likelihood of harm, severity of harm, and asset value help determine how much time and effort the organization should spend to secure its resources.

Vulnerabilities are weaknesses. An information system that has no backups is vulnerable to data loss. Computers that do not run anti-virus are vulnerable to malware infections. People who use the same password for all of their accounts are vulnerable to having their accounts stolen. Every single point of failure (such as having only one internet service provider or one router to the internet) is a vulnerability. A vulnerability might exist for years without anything bad ever happening. Organizations need to be aware of their vulnerabilities.

Threats are people or events that exploit vulnerabilities. Threats might be people such as malicious insiders, nation-state hackers, or typo-prone system administrators. Threats can be natural in origin, too. A hurricane is a threat because it can destroy a data center. Power surges during thunderstorms can cause equipment to fail which could lead to a loss in availability.

Risk is the likelihood that a vulnerability will be exploited leading to a loss. Likelihood is the probability that an adverse event will occur. Severity is the magnitude of harm if the event occurs. A risk score can be calculated by multiplying likelihood by severity. The higher the risk score, the more concerned an organization should be about the risk.

Scenario 1: Lost smart card. Employees at ACME use a combination of a smart card and a personal identification number (PIN) to log in to computers. ACME expects several employees to lose their smart cards every month. But because the smart card is useless without the PIN or physical access to computer systems, it is unlikely that a smart card could be badly abused. The likelihood is high (e.g., a 10/10), but the severity is low (e.g., 1/10), so the overall risk score is low (10/100 in this example). This means that ACME should probably not invest significant resources to address lost smart cards.

Responding to Risk

Organizations have several strategies they can employ to respond to risks.

• Risk acceptance. The identified risks are within the organization's tolerance. They choose to engage in practices. In the smartcard example explained previously, the risks associated with lost smart cards can likely be accepted without modifying any organizational practices.
  
• Risk mitigation. If risks are above an organization's tolerance, actions can be taken to reduce the chance of an adverse event occurring or reduce the severity of an event. In the smart card example, risk could be reduced by requiring employees to use a third factor when logging in, such as biometrics. Requiring a third factor would reduce risk, but comes at a cost. Systems might become harder to use, biometric identification could be costly, and systems would become more complex overall.
  
• Risk avoidance. When risks are above an organization's risk tolerance and they cannot be mitigated sufficiently, the organization can simply choose not to engage in the activity. For example, a company might judge the risk of "smart" devices being hacked, so it develops a policy prohibiting smart devices from connecting to the network.
  
• Risk transfer. Risks can be shifted to third parties. Risk transfer is typically handled by a company purchasing cybersecurity insurance. An organization might do its best to secure its systems but still purchase cybersecurity insurance. A single data breach can cost organizations millions of dollars. Cybersecurity insurance is becoming a standard cost that organizations must bear.
  

These risk responses apply in many different scenarios, not just cybersecurity. You might accept the risks associated with bungee jumping. You might mitigate the risks of bungee jumping by making sure the bungee jumping company has relevant certifications or by choosing a provider that has backup safeguards (such as jumping over water). You can avoid bungee jumping risks by choosing not to jump. You can transfer bungee jumping risks by purchasing life insurance.

Reflection

• To what degree does risk transference abdicate you of the responsibility of carrying out cybersecurity best practices?
• How do you employ different risk responses in your life?

Key Terms

• Vulnerability: A weakness or flaw in a system, application, or network that can be exploited by a threat actor to gain unauthorized access or cause harm. Vulnerabilities can result from software bugs, misconfigurations, or inadequate security practices.
• Threat: Any potential danger that can exploit a vulnerability to cause harm to a system, network, or organization. Threats can be intentional, such as cyber attacks, or unintentional, such as natural disasters or human errors.
• Exploit: A method or tool used by threat actors to take advantage of a vulnerability in a system, application, or network. Exploits can lead to unauthorized access, data breaches, or other malicious activities.
• Risk Acceptance: A risk management strategy where an organization decides to acknowledge the risk and its potential impact but chooses not to take any action to mitigate it. This approach is typically used when the cost of mitigation exceeds the potential loss or when the risk is deemed acceptable.
• Risk Mitigation: A risk management strategy that involves taking actions to reduce the likelihood or impact of a risk. Mitigation measures can include implementing security controls, patching vulnerabilities, and enhancing monitoring and response capabilities.
• Risk Avoidance: A risk management strategy that involves eliminating the risk by discontinuing the activity or process that generates the risk. This approach is used when the risk is deemed too high and cannot be effectively mitigated.
• Risk Transfer: A risk management strategy that involves shifting the risk to a third party, such as through insurance or outsourcing. This approach allows an organization to reduce its exposure to the risk while ensuring that it is managed by an external entity.