HOME

TheInfoList



OR:

Risk Control Strategies are the defensive measures utilized by IT and InfoSec communities to limit
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and manage
risk In simple terms, risk is the possibility of something bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to something that humans value (such as health, well-being, wealth, property or the environm ...
s to an acceptable level. There are a number of strategies that can be employed as one measure of defense or in a combination of multiple strategies together. A risk assessment is an important tool that should be incorporated in the process of identifying and determining the threats and vulnerabilities that could potentially impact resources and assets to help manage risk. Risk management is also a component of a risk control strategy because Nelson et al. (2015) state that "risk management involves determining how much risk is acceptable for any process or operation, such as replacing equipment". {, class="wikitable" , - ! Examples of Threats , - , Social Engineering , - , Theft , - , Vandalism , - , Forces of nature , - , Human error , - , Software errors , - , Hardware errors


Strategies

Five basic strategies to control risks that arise from vulnerabilities # Defense - Applying safeguards that eliminate or reduce the remaining uncontrolled risk # Transferral - Shifting risks to other areas or to outside entities # Mitigation - Reducing the impact of information assets should an attacker successfully exploit a vulnerability # Acceptance - Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control # Termination - Removing or discontinuing the information asset from the organization's operating environment


Defense

The defense strategy works to deter the exploitation of the vulnerability that requires protection. Defense methods can apply physical, logical, or a combination of both to provide protection as a defense strategy. The application of multiple layers of defensive measures is called
defense in depth Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...
. Defense in depth applies access controls that Stewart et al. (2012) describe as "multiple layers or levels of access controls are deployed to provide layered security"


Transferal

This strategy according to Stalling & Brown is the "sharing of responsible for the risk with a third party. This is typically achieved by taking out insurance against the risk occurring, by entering into a contract with another organization, or by using partnership or joint venture structures to share the risk and cost should the threat eventuate. The act of purchasing insurance is an example of risk transferral.


Mitigation

The mitigation strategy attempts to reduce the damage of a vulnerability by employing measures to limit a successful attack. According to Hill (2012), "this can be done by fixing a flaw that creates an exposure to risk or by putting compensatory controls in place that either reduce the likelihood of the weakness actually causing damage or reduce the impact if the risk that is associated with the flaw actually materialized.Hill, D. G. (2009). Data protection. Boca Raton, Florida: CRC Press.


Acceptance

This strategy accepts the identified risk and deploys no defense strategy. A reason for using an acceptance strategy is that the cost associated with deploying safeguards outweighs the damage of a successful attack or compromise.


Termination

Instead of using a safeguard to protect an asset or deploying zero safeguards and accepting the risks to an asset, this strategy removes the asset from the environment with risks. An example of this strategy would be to remove a server from a network because the company has determined that termination of the resource outweighs the benefit of leaving it on the network due to risk concerns.


References


External links


Risk Mitigation Planning, Implementation, and Progress Monitoring

Inventory of Risk Management - European Network and information Security Agency (ENISA)

ISO 27001 - Risk Management Methods
Risk management