Risk treatment

Risk treatment

In this article, we’ll be looking at risk treatment.

Here, you’ll return to the nature of risk and the ways of treating it. We all deal with risk daily in our personal lives and your approach to risk will change substantially throughout your lifetime depending on your age, personal responsibilities and whether you are by nature risk tolerant or risk averse.

An organisation is very similar and effective cyber security is inextricably linked to risk management. The goal of risk management is ultimately to ensure assets are adequately protected, and that important assets are prioritised over less important ones. In addition, since risk is continually evolving, risk management needs to be dynamic and flexible enough to be able to identify and respond to emerging threats.

Raw risk

Inherent risk is what you begin with before any risk treatment. This is the raw state. Examples of inherent risk include weak passwords, poor data handling, and no anti-virus software. What you’re left with when you finish your risk treatment is called ‘residual’ risk. Residual risks include social engineering attacks, phishing attacks and malware infections. These risks will always remain, even after treatment, however their likelihood and/or severity will be reduced by treatment. 

Risk treatment options are commonly known as the Four Ts: Treat, Transfer, Terminate, and Tolerate. In the following tables (Figures 1-3), you can see examples of risk, their treatment and their new risk status after treatment.

Figure 1: Risk treatment, example 1

Figure 2: Risk treatment, example 2

Figure 3: Risk treatment, example 3

Treat (mitigate, remediate or reduce)

Risk mitigation is the overall process of reducing exposure to, or the effects of, risk factors. 

Risk is mitigated by employing controls. It’s important to remember that the control is not intended to (indeed it cannot) eliminate risk entirely, merely to reduce it to an acceptable level. Furthermore, controls must be cost effective, there’s no point having a control that costs more than the asset it’s protecting. The value of a control is determined by its ability to reduce either likelihood, or impact, or ideally both.

For example, when considering fire, a policy strictly controlling the use of flammable materials on site reduces likelihood, while smoke alarms and sprinklers will reduce impact by (hopefully) containing any incident to a small area. Another example is offsite data backup, which provides a remediation option in the event of servers being destroyed by fire. 

Transfer (or share)

Transferring the risk involves a third party accepting the risk. 

An example of this would be an insurance company covering the risk. Sharing the risk is when part of the risk is transferred to a third party, so the risk is split up, but not completely transferred. 

Terminate (or avoid)

Terminating or avoiding the activity causing the risk is the next possible treatment. 

This involves an informed decision to not be involved in something that’s risky. So, the choice is taken to switch off or withdraw from activity in order not to be exposed to a particular risk. This is a very emphatic action but can limit a company's opportunities. Terminating or avoiding risk is usually done if the cost of controls is going to exceed the value of the asset.

An example of this might be a decision to upgrade to new hardware if the existing hardware is out of support and can no longer be maintained cost-effectively. 

Tolerate (or accept) 

It’s not possible to eliminate risk entirely using controls, some risk will always remain.

The more controls that are added, the higher the cost of managing them becomes, so you must balance the cost of the control with the cost associated with the risk. At some point, it will become uneconomical to add further controls.

The aim is to mitigate risk factors to the point where the organisation is exposed to a level of risk that it is willing to accept. This is the organisation’s risk tolerance. 

Risk posture

The overall status of risk management is referred to as risk posture. This shows which risk response options can be identified and prioritised. For example, you might identify the following as priorities:

• Regulatory requirements to deploy security controls and make demonstrable efforts to reduce risk. Examples of legislation and regulation that mandate risk controls include SOX (Sarbanes Oxley), HIPAA (Health Insurance Portability Accountability Act), Gramm-Leach-Bliley, and various personal data protection measures. 
• Protecting a high value asset, regardless of the likelihood of the threat(s). This makes sense as loss or damage would have major effect on company. 
• Threats with high likelihood (that is, high ARO (Annual Rate of Occurrence)). Again, this makes sense, threats most likely to happen should be given requisite attention. 
• Reducing the number of procedures, equipment, or software that increase the likelihood of threats (for example, legacy applications, lack of user training, old software versions, unpatched software, etc.).

The risk wheel

In Figure 4, you can see the relationships between the different facets of risk assessment and management.

Figure 4: The risk wheel

Key points:

• Assets are subject to a loss of confidentiality, integrity and availability, as a result of threats and vulnerabilities
• A loss of confidentiality, integrity and availability results in business impacts, these impacts can be limited by security controls.
• Business impacts increase risks, while security controls reduce risks
• Controls protect against threats that increase risk
• Threats increase risk and so do vulnerabilities

Towards the risk life cycle

As you have seen, there are many short-term and long-term measures to be taken when it comes to risk treatment, and it is a permanent and on-going process. 

What’s next?

As the size of the company changes, so too will its risk treatment policies and posture. This brings us nicely to the next article which will look at the risk register and its iterative nature.