Risk treatment
Security risk treatment is an essential part of an effective security risk management program. This process provides details on the strategies to address risks and selects and implements measures to modify risk. The purpose of risk treatment is to bring risk in line with the organisation’s defined risk tolerance as cost-effectively as possible, not to eliminate or minimise risk at all costs.
During the security risk treatment phase, the following strategies are developed for dealing with external and internal security risks:
Risk Acceptance
This “Take No Action” option is a security risk management action often chosen because the risk has a low probability of occurring and/or low impact, or the cost and effort of any actions outweighs the severity of the threat. When using this approach, threats should be continuously monitored to ensure they remain tolerable. The choice to accept risk is a conscious decision made by senior management to recognise the existence of security risk and knowingly decide to allow (assume) the risk to remain without (further) mitigation. Management is responsible for the impact of a risk event, should it occur, so the decision to accept risk is made according to the risk appetite and risk tolerance set by senior management.
Risk Reduction (Mitigation)
This is an action plan to either reduce the probability of a risk occurring or reduce the event’s impact should it occur. It implies reducing the likelihood and/or impact of an adverse risk to within acceptable threshold limits. Taking early action to reduce probability is usually more effective than trying to repair the damage after the risk has occurred. The organisation should ensure that the acceptance of residual risk is documented and subject to periodic re-evaluation.
Some examples of controls to mitigate risk are:
Deploying technical controls, e.g., implementation of a VPN to connect to different sites over the internet securely.
Deploying management controls, e.g., creating and applying information security policies and procedures for the following domains:
User Access Management
Change Management
Configuration Management
Backup and Recovery
Business Continuity and Disaster Recovery
Incident Management
Deploying operational controls, e.g., backup restoration processes to ensure backups are available when needed, or implementing a firewall log review process to detect malicious network activity.
Risk Transfer
This is a security risk treatment strategy in which the risk owner shifts the threat to a third party. In this case, management needs to be fully aware that this strategy transfers responsibility to another party and does not eliminate the risk. Note that risk transfer usually involves the payment of a risk premium to a third party. The most common example of risk transfer is purchasing security insurance, which may compensate or replace should a loss occur.
Note: Purchasing insurance does not guarantee the organisation will receive an insurance payout in the event of a security incident. An insurance company will first assess the maturity of the organisation’s security processes before making a decision to approve the insurance claim.
Transferred risk should be reviewed regularly to ensure that it remains appropriate and adequate. For example, an organisation should ensure that the current sum insured is sufficient to cover losses and that the organisation complies with the terms and conditions of the coverage.
Risk transfer arrangements are only effective when they are properly maintained. The moment after an incident has occurred, the worst time to realise that such arrangements have recently expired.
Risk Avoidance
Risk avoidance is the appropriate risk response when the identified risk exceeds the organisation’s risk appetite and tolerance. For this strategy, action is planned such that the threat can no longer impact the organisation and/or its probability of occurrence is zero. This is usually achieved by changing business operations and/or the IT landscape to eliminate the threat entirely. It is unusual to see this strategy applied to critical systems and processes, as both prior investment and opportunity costs need to be considered. Risk avoidance is the only remaining choice when no other response is adequate, meaning all the following are true:
The exposure level is deemed unacceptable by management.
The risk cannot be transferred.
Mitigation that would bring the risk in line with acceptable levels is either impossible or would cost more than the benefit that the organisation derives from the activities.
Our tool helps clients build an effective risk management plan by offering a risk management tool that uses risk assessment methodologies based on ISO 27005 and IRAM2. It also includes an automated process for identifying risks based on self-assessment results, which helps organisations to start the risk treatment process effectively.
Risk acceptance
Each security risk has a different level of acceptance. While no one wants to accept the risk of a ransomware attack, decision-makers face difficulties and hurdles in completely protecting data. One of the primary goals of an effective security risk management process is to reduce the risk rating to an acceptable level at an affordable cost. This type of response involves management formally accepting and recording proposed risk treatment plans and residual security risks, with justification for those that do not meet the enterprise’s criteria. Risk acceptance indicates that the organisation is willing to accept the level of risk associated with an activity or process. However, it must be ensured that risk acceptance does not exceed the organisation’s risk appetite or capacity (which would threaten the organisation’s continued existence). There may be scenarios where the security risk level is not within tolerance limits, but the organisation still decides to accept the risk because no suitable alternatives are available. All such scenarios should always be brought to management’s attention and authorised by the senior leadership team. Senior management may need to be reminded that they are the “owners” of the risk and bear the responsibility for determining risk acceptance levels.
In order to have an effective risk response, it is important for the organisation to have a risk acceptance policy, which defines risk acceptance criteria, such as the acceptable level of risk, and the impact of the organisation’s overall security posture.
The organization should discard the historical approach to addressing risk and develop a strategy that assigns a unique risk acceptance level to each asset.
No company can afford a data breach or ransomware attack, but some areas are more important to protect than others. At the same time, no company can afford to mitigate all risks entirely. An effective security risk management program gives organisations the ability to allocate their limited security resources to address the most critical risks.
Having an automated risk management tool helps to manage resources effectively. Our tool assists organisations in gaining a holistic view of their risk exposure and taking remedial action most effectively and efficiently.
Risk communication and consultation
Communication and consultation with relevant stakeholders play a vital role in the security risk management process. Timely communication and effective consultation with relevant stakeholders help parties better understand the risk and make quick decisions to address it. Ongoing communication also helps keep stakeholders informed about accountability and encourages their buy-in. Such improvements result in better security risk management processes and help achieve the organisation’s objectives.
Informing other relevant people in the organisation about the progress of security risk assessments helps them review and update their processes to ensure they are up to date and ready to respond to related security incidents.