Module 6: Risk Management Process - morgan-hanrahan/Tech-Journal GitHub Wiki

Risk Management Strategies

Main strategies for risk management include acceptance or tolerance, avoidance, transference, reduction or mitigation, and rejecting or ignore

Risk Acceptance

• Management made a cost-benefit analysis of potential safeguards and determined that the cost of countermeasure greatly outweighs the potential cost of loss due to risk.
• If the risk is realized, management agrees to accept the consequences and loss.

Risk Avoidance

• Choosing alternatives or activities that are less risky than the default, common, expedient, or inexpensive option
• Deterrence is a variation of risk avoidance:
  • The practice of implementing deterrents to would-be security and policy offenders in order to urge them not to attempt a violating behavior.

Risk Transference

• Transferring the expense of loss associated with a risk to another institution or organization.

Risk Mitigation

• Implementing protections, controls, and countermeasures to reduce and/or eliminate vulnerabilities or to thwart threats.

Qualitative Risk

It is more situational and scenario-based than calculator-based. Rather than assigning specific financial amounts to potential losses, threats are graded on a scale to assess their risks, costs, and consequences.

• Techniques:
  • Brainstorming, Delphi Technique, Storyboarding , Focus groups, surveys, questionnaires, checklists, one-on-one meetings, or interviews.

Quantitative Risk

Assigns monetary value to the loss of an asset The quantitative method yields specific likelihood percentages.

• Typically you see informal cost-benefit that uses this type of analysis
  • This is because the likelihood is hard to quantify in cyber
  • Calculating loss is hard too as there are so many intangibles