Ch15 - 15.03 - Risk Mitigation Strategies Flashcards
Risk Mitigation Strategies
- Mitigate the risk (mitigation)
- Accept the risk (acceptance)
- Transfer the risk (transference)
- Avoid the risk (risk avoidance)
- Deter the risk (deterrence)
- Mitigate the risk (mitigation)
The first way to deal with the risk is by mitigating it. Mitigation involves implementing a security control that protects the asset from the threat. For example, to protect against hard drive failure on the web server, you could purchase a RAID solution.
- Accept the risk (acceptance)
Another way to handle the risk is to accept it. Accepting the risk means that you do not implement any solution to protect against the threat because you are satisfied that the chances of the threat occurring and the impact of the threat do not warrant the cost of implementing a security control.
- Transfer the risk (transference)
You can also look at transferring the risk, which means you make the threat somebody else’s problem! For example, you may get insurance that helps you recover from the security incident.
- Avoid the risk (risk avoidance)
Risk avoidance is the idea that whatever the activity is that puts you at risk, you decide not to perform that activity any more in order to avoid the risk. For example, having an e-commerce web site to earn revenue puts you at risk of attack from sources on the Internet—you can avoid this by not selling products
online (but you also lose the revenue).
- Deter the risk (deterrence)
Not as common an approach to dealing with risk is to deter the risk. An example of deterring a risk is to threaten punishment (typically legal punishment) to anyone who attacks the asset—you are deterring the event from occurring.
