Risk Treatment

Now that risk is identified, how do we address it?  In information security, new risks surface daily.  These new risks are the result of the evolving threat landscape, implementation of new technologies, changes in regulatory requirements, and potential for human error.

In principle, there are six methods (treatments) to address risk.  Each of those treatments is explained below:

1. Risk Assumption – To assume risk is to accept risk. Often times, the impact or probability of occurrence may be low and the benefits of addressing risk may not be justified.   For example, a data center may reside in an area prone to severe weather.  However, the data center operator has set up a redundant operation or co-location with real-time failover in an area less prone to severe weather.  As a result, the data center operator chooses to accept (or assume) the geographical location risk.
2. Risk Avoidance – This is the most common method of addressing risk. The process of avoiding risk involves eliminating the risk cause or consequence.  For example, we recognize that the loss of power is a real and probable threat to our data center environment.  Therefore, we avoid the risk by implementing battery and generator backup that can run continuously while power is restored.
3. Risk Limitation – Risk limitation is very similar to risk avoidance. Risk limitation, however, addresses risk by either reducing the probability or impact of a given identified risk.  For example, the implementation of Anti-virus/malware solutions limits the risk of malicious attack.  We recognize that the risk is not completely eliminated, but significantly reduced.
4. Risk Planning – Often times, risk mitigation is not a one-step/one-time effort. The process of avoiding or limiting risk may involve multiple individuals, departments, processes, projects, and steps.  An example of risk planning may involve Security Awareness Training.  It may not be possible to convey all necessary training in one session.  A series of training sessions that address risks and human error may be required.  Additionally, we may have to address evolving threats in an ongoing effort.
5. Research and Acknowledgement – Research and acknowledgement involves two discrete steps. First, we must acknowledge (accept/assume) the risk that exists and develop a plan to research the mitigation strategies.  This typically occurs when an emerging risk enters the market or environment and a mainstream solution does not exist.
6. Risk Transference – The most common form of risk transference is financial via insurance carriers. Insurance policies are executed and protect us from the financial risk resulting from loss, theft, errors, omissions, damages, and other liabilities.

Every organization will have different motivating factors for selecting one of the risk treatment methods.  Additionally, the decisions to treat risk are generally made and approved by leadership.