Part Three: Cost Considerations of Risk Mitigation

Start course

This module of CISM Foundations covers risk appetite, risk tolerance, and capacity. We'll look at a range of vital risk management factors and how they affect businesses. We'll also cover the concept that the assets, vulnerabilities, threats, and time form a four-dimensional space that we must apply to our risk management practices and security countermeasures. We round off the course by looking at the trade off between the cost of risk mitigation and the value of the assets being protected, to help you calculate how much protection is financially viable for a given asset.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand how risk tolerance can vary from organization to organization
  • Learn about the CIA Triad
  • Learn about knowledge, awareness, urgency, and importance and how they impact risk management
  • Learn how the asset, vulnerability, threat, and time form a four-dimensional space that can be used to decide upon risk management practices and countermeasures
  • Understand how to weigh up the costs of managing risk vs the value of the asset being protected

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


Three cases of cost trade-off calculation are typically found. In this first case is the calculation where cost to protect is less than the cost of loss or compromise. There in the center of this slide, you see the formula. The result of this calculation shows that it is less expensive to use a control than to risk the loss of the asset. Once demonstrated conclusively, this calculation validates the decision to actively choose mitigation in some form to address the risk to this asset.

The common second case is where the cost to protect is greater than the cost of loss or compromise. Again, you see the formative there in the center of this slide. In this case, the result shows that it is more expensive to use a control than it is to risk the loss of the asset. In a manner similar to the previous calculation, this validates the decision to accept the risk of loss for this particular asset.

It should be remembered however that in choosing to accept the risk does not in and of itself mean doing nothing. A calculation of this type cannot necessarily take into account the impacts of compliance or the failure to comply with a given regulation, but only the financial aspects of this particular decision.

More to the point, doing risk acceptance does not negate the necessity to have to comply. In some way, some action must be taken to deal effectively with the situation despite its financial lack of attractiveness. The third case often encountered is a calculation where the cost to protect is approximately equal to the cost of the loss or compromise.

The result of this calculation shows that it is no more expensive to use the control than it is to lose the asset. Bearing in mind that this calculation does not include second or third order effects, but only the direct impact of the asset's loss. This validates the decision to mitigate or to accept the risk, and is most likely based on some other decision criteria. Such criteria would include other operational concerns or compliance requirements.

Typically, a decision in this case is bound by management's choices based on these other characteristics and criteria. Now, having a look at the various ways and means by which we will consider risk and mitigation decisions, we have a guiding principle that drives us towards a particular decision point.

Here you see a graphic depicting different curves showing risk and its slope, and cost and its slope. Also defined here is a minimum acceptable level of risk or cost impact. The minimum acceptable level depicts the target of our decision-making process that we are trying to achieve to bring risk down. And with that, the adverse consequences of a given decision.

You also see a discretionary range, which ranges from on the left at certain levels on the risk curve and the cost curve, and on the right certain other levels at the other end of the spectrum of cost and risk. What these curves illustrate is that their point of intersection is breakeven where $1 mitigating activity produces $1 of actual reduction in anticipated risk.

As additional decisions are made, the curves change, and the point of intersection moves up one of these curves or up the other one. Thus this intersection represents the lowest point of intersection of the cost and risk curves depicting the break even point. However, management discretion in these decisions may be made at any point within the box shown in this graphic.

The ultimate goal is to make a determination and choose a point that reflects a balance between cost to protect and the cost of compromise in light of all the factors of this particular problem. It should be noted that there is a direct and proportional change that occurs in the intersection point whenever more risk is permitted or increased cost is allowed.

As more risk is mitigated, the cost of doing so shows by the intersection moving risk down but moving rapidly up the cost curve. The opposite is equally true. The lower the cost we incur, the more risk remains unmitigated as shown by the intersection point moving up the risk curve. So the range of each that may prove acceptable often falls within the box and the center of the graph. And it is here that management's discretion is exercised to find the balance between cost and risk.

Here we have the graphic that illustrates the classic steps in risk treatment strategy. We're going to cover each of these classic steps in turn. It should be noted that a complete risk treatment strategy will most likely include elements of all four things.

Epic and mind are attempt to optimize risk reduction and yet keep the balance between the cost factors and the operational factors. Risk avoidance is the practice of defining and exploring alternatives that when properly used at the proper points may result in the identified risk, not materializing. This however is a strategy that is often unusable unless you are at the beginning point of a particular project or system.

Risk mitigation, that is engaged in active risk reduction is, of course, the most common strategy that we choose. This is the element of our strategy that requires careful performance over cost benefit analysis and our risk trade-offs.

Risk transference, also called outsourcing seeks to pass the risk to another entity. The different forms that this transference takes includes hiring a contractor who will assume operation of responsibility, and thus the risk associated with that or the purchasing of insurance.

It must be noted that the transference of operational responsibility for the risk does not transfer fiduciary accountability for that risk. That remains with the risk owner. The common final step is risk acceptance. This is the practice of accepting certain risks which are either beyond the possibilities of mitigation or which have been mitigated effectively to a point but are no longer cost effective to mitigate further.

As I mentioned before, risk acceptance does not mean literally doing nothing. The proper step at this point is most likely to be consideration of some form of monitoring activity.

Now we've mentioned the term control at many points in this discussion. Let's define what we mean by control. A control is typically considered to be a proactive measure to keep something from happening or to minimize risk in advance of the risk elements materializing.

Controls can take the form of administrative processes or procedures, something technical is in a configuration or a feature in software or something physical which seeks to adjust the environment in some manner that reduces risk. If, for example, the risk of fire exceeds our structure's tolerance, one potential control to be considered would be the installation of a fire suppression system.

This is a positive step in that it brings the risk of fire down below the tolerance of the enterprise and its facility. In this context, the sprinkler itself is considered to be the control, one of a physical type. There will, of course, be processes and procedures to enable its proper installation and performance, as well as maintenance. And in keeping with our previous calculations, the cost benefit analysis will determine that the financial impact of the fire should be substantially greater than the cost incurred to install the fire suppression system to keep the fire itself from occurring.

Just to complete the picture, also considered will be insurance to cover whatever other damage might result that may be beyond the fire suppression system's ability to prevent. Here you have a cost effectiveness calculation example. The cost of a fire is estimated to be $100,000 damage. Assuming that no control is in place, the cost to the incident itself totals $100,000 in the damage.

One action of course, though not an advisable one, would be to allow the fire to cause its damage, save the money that might've been spent on a fire suppression system, and pay for the damage later or make an insurance claim.

As the example shows though, if we estimate the damage that would be avoided at $100,000 and the price of the fire suppression system, that would prevent the fire at the same cost, there might appear to be little incentive defining of a fire suppression system to offset something that would cost the same as itself.

As an alternative could be the finding of a fire suppression system alternative, that would accomplish the same thing at a lower cost. Of course, in this example, we have added the ingredient of having to meet local fire codes and other compliance requirements. In the real world, this would mean that whatever the officially approved version of a fire suppression system might be, would have to be what is installed almost regardless of the cost. It is also an example of a case where risk acceptance is not a feasible choice due to regulatory requirements.

Now, here are some things that must be considered while we're performing all of these other mental gymnastics and financial wizardry. In representation of a seemingly zen-like situation, the reality is risk will result from the taking of action or not taking action. In short, it means that risk will be present in some form and to some degree regardless and therefore must be effectively dealt with.

The essential questions then become first, which is the better solution to reach the intended goal? Or second, which alternative is the more appropriate or cost effective? Another factor to be recognized is that in the process of mitigating one risk, it is entirely conceivable that a second or other risk may result from that action. This of course means that a characteristic of the ideal solution is that it is risk neutral, which may or may not be possible and still be cost effective.

In the course of making these decisions, there will come a point at which no further investment will make any effective difference in the risk structure or its mitigation. Also, some situations will have no mitigation that is possible at any cost level. Thus it is that in such cases that insurance may be the sole recourse.

In the case of business interruption insurance, several factors come into play, some of which we will discuss in more depth later. With business interruption insurance, factors such as the recovery time objective need to be calculated so that the insurance amount selected can't fit with the potential cost of an outage if the active solution cannot bring it back online within the recovery time objective, thus the policy is intended to cover the organization should it be unable to achieve reactivation of operations within the RTO.

Our example is that we buy a $1 million business interruption insurance policy with a $10,000 deductible. This policy costs us $50,000 a year premium. In such a case as an event occurs where we do not achieve our RTO, our claim is then made and pays up to $1 million of the policy's face value minus our $10,000 deductible.

So the realities of control, selection, and evaluation, there are certain conditions that must be faced that will affect our decisions. We know that there is quite a variety of controls that can be applied to any given situation, and our concern for these is that they're equally effective in mitigation of the total risk. However, there may be an attent variation in the price amongst these control options. This means of course that we must evaluate our cost to protect versus our cost of compromise calculation and consideration of these controls that we regard as more favorable.

It is not always wise to seek the lowest cost option purely on the basis of saving money. Doing so may lead us to a decision that will have less than ideal results in real life mitigation. The control must of course achieve mitigation to the acceptable level, but must not itself bring risk of any different sort into the equation.

Controls must also be considered as iterative. That is, some controls will be changed while others are rotated in as some are rotated out. Still others will be brought in as new conditions arise, and yet still others will be eliminated as the conditions that they modified will no longer be in existence.

So the conclusion is, this is a dynamic process, and should not be seen as building on a fixed basis that will never be changed. Here we've completed a second module of this first half of our CISM candidate preparation course.

As before, I encourage you to access your study materials and practice with questions covering the subjects we've covered in this module. For now, we're gonna take a break before moving on to our next module.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.