Introduction to Risk

Information Security Risk Management

Information-gathering aided by formal practices and technologies

Risk Management Purpose

Collective Risk Management

Planning

Analysis

Recommendation

Monitoring

A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.

A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.

A security control objective cannot be met through a technical change, so the company changes as method of operation.

A security control objective cannot be met through a technical change, so the Chief Information Officer (CIO) decides to sign off on the risk.

To define the level or risk using probability and likelihood

To register the risk with the required regulatory agencies

To identify the risk, the risk owner, and the risk measures

To formally log the type of risk mitigation strategy the organization is using

researching, reviewing, and acting on

identifying, analyzing, and responding to

reviewing, monitoring, and managing

identifying, reviewing, and avoiding

analyzing, changing, and suppressing

Risk Monitoring and Control

Risk Identification

Risk Avoidance

Risk Response Planning

Risk Management Planning

A. Mitigation

B. Deflection

C. Avoidance

D. Transfer

When the risk event has a low probability of occurrence and low impact

When the risk event is unacceptable -- generally one with a very high probability of occurrence and high impact

When it can be transferred by purchasing insurance

A risk event can never be avoided

Avoidance

Mitigation

Acceptance

Transfer

Tolerance

Using proven technology in the development of a product to lessen the probability that the product will not work

Purchasing insurance

Eliminating the cause of a risk

Accepting a lower profit if costs overrun

a and b