Information security risk management is the process of identifying vulnerabilities to your information assets that could impact their confidentiality, integrity or availability along with the threats that could exploit those vulnerabilities – together these define the risk. The next step is to evaluate the risk to determine its severity, usually by considering the impact if the risk is realised and the likelihood of it happening.
Once the severity has been defined, the risk then needs to be ‘treated’.
Risk treatment options
The typical risk treatment options fall in to one of four methods:
Mitigate the risk
Mitigate the likelihood or impact of the risk by implementing a control. For an example, the impact of a lost laptop could be mitigated by encrypting the hard drive or the risk likelihood could be reduced by not allowing employees to take them from the office.
Avoid the risk by ceasing any activity or removing the asset that creates it. This response is appropriate if the risk is too difficult or expense to treat in any other way. For example, if company data cannot be secured on mobile devices, it could be restricted from being accessed on them at all.
Share or transfer risk
Share or transfer the risk to a third party, either by outsourcing the treat of the risk (for example to a security provider) or by purchasing cyber insurance to ensure funds are available to respond appropriately in the event of a disaster.
Accept/retain the risk
Accepting the risk is generally only done if the cost or impact of the risk is less than that of the controls used to treat or transfer it.