So, you have identified a risk in your organization or project ... now what? When a risk is identified there are four strategies you can use to address it. The strategies can be remembered using the acronym ACAT:
The first strategy to address risk is to avoid the activity that would make you incur the risk. This is the simplest strategy, but potentially the most costly since you completely eliminate any benefit of the activity.
This strategy can work well for risks that would result in catastrophic failure if incurred and which cannot be reasonably addressed by any of the other strategies.
With the control strategy you continue to perform the activity while putting mechanisms in place to mitigate (reduce) the risk of the activity. It is difficult to mitigate all risk associated with an activity; any risk that remains after controls have been applied is known as Residual Risk.
Common cyber security controls include firewalls, intrusion detection systems, antivirus, policies, and incident response management.
When accepting risk you continue to perform the activity with no mitigations in place, but only after a conscious decision has been made to do so. The conscious decision is informed by analyzing the various components of the risk before proceeding.
This strategy can work well when the cost of addressing the risk with one of the other strategies is greater than the cost of incurring the risk.
The transfer strategy does not mitigate the overall risk, but it does move ownership of the risk to another entity. This is typically done in the form of an insurance policy or cooperative. While it is fairly straightforward to purchases insurance for traditional risk categories, doing so for cyber risk can be a challenge due to its novelty and dynamics. According to the Wired article Cyberinsurance Tackles the Wildly Unpredictable World of Hacks:
"The constantly changing threat landscape isn’t the only challenge cyber underwriters face. Since many companies don’t have cyberinsurance, lots of incidents go unreported every year, making it more difficult to reliably estimate the frequency or costs of such events."
As a rule of thumb, the transfer strategy can work well for risks that are low likelihood but high impact.
Ignoring is Not an Option
One strategy that is not effective is ignoring risk. While this may sound like a similar approach to accepting risk, it is significantly different. Accepting risk is a conscious decision to acknowledge the risk and move forward in spite of it. Ignoring risk simply assumes that there is no risk or that it is insignificant, and it is a way of procrastinating and not making a decision.
Ignoring risk and the risk management process generally leads to one of two negative outcomes:
Either way, failing to properly manage risk can have a significant cost to your organization and operations.
Where to Start
At its highest level, risk is a function of the likelihood of an event occurring and the impact of that event. The following matrix can be used as a starting point when trying to determine how to manage a particular risk based on likelihood and impact.
Note that the matrix is simply a starting point, it is not prescriptive. Each risk needs to be fully analyzed before determining the best strategy to address it.
Mix and Match
You do not have to choose just one strategy when determining how to address risk. For example, if you are addressing the risk of a fire in your data center you may choose to Control the risk by installing a fire suppression system and Transfer the remaining risk by purchasing a fire insurance policy.
Combining multiple strategies gives you more options and can make your approach more efficient and effective.