5. Risk Management

5.3 Explain risk management processes and concepts

Risk Response Features:

Risk mitigation: is accomplished any time you take steps to reduce risk. This category includes installing antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall, and so on

Risk avoidance: Elimination of the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but often not possible due to organizational requirements. Eliminating email to avoid the risk of email-borne viruses is an effective solution but not likely to be a realistic approach in the modern enterprise.

Risk assessment: Should include planning against both external and internal threats. During a risk assessment, it is important to identify potential threats and document standard responses.

Risk Transference: A risk or the effect of its exposure may be transferred by moving to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from equipment theft or data exposure.

While performing risk assessment for an organization. Following should be done during impact assessment and quantification

Asset identification - Identify organizational assets

Threat assessment - Identify the threats to the assets or resources

Impact definition and quantification - Study the likely loss to the assets or resources due to a given threat. The loss may be the brand image, and not necessarily a physical resource

Control design and evaluation - Put controls in place to mitigate the threat. The controls may be device based, software based, or personnel training.

Assets need to be identified first as part of risk assessment. Vulnerability assessment is part of an organization's security architecture.

ALE: The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as: ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.

The risk-assessment component, in conjunction with the business impact analysis (BIA), provides an organization with an accurate picture of the situation it faces.

The following four strategies comprise the strategies that are normally used for risk:

1. Acceptance: Acceptance of a risk means that the severity of the risk is low enough that we will do nothing about the risk unless it occurs. Using the acceptance strategy means that the severity of the risk is lower than our risk tolerance level.

2. Transfer: The transfer strategy in managing risk is to give responsibility for the risk to someone outside the project. The risk does not go away; the responsibility of the risk is simply given to someone else.