5.2.3 Risk Register & Tolerance
Risk management is the systematic process of identifying, evaluating, and responding to threats through a structured balance of security controls and organizational tolerance.
Risk Measurement and Registers A Risk Register is a central document used to record identified risks, their severity, and the status of mitigation efforts. - Quantitative Analysis: Assigns numerical values and monetary figures (SLE, ALE) to risk; however, it can be flawed if data is subjective or incomplete. - Qualitative Analysis: Uses descriptive rankings (Low, Medium, High) and is often preferred when threats are difficult to quantify or data is scarce. - Risk Control Assessment: An evaluation, often by a third party, to judge the quality and effectiveness of implemented security controls.
The Three States of Risk Applying a control does not eliminate risk; it changes the nature of the risk profile. - Inherent Risk: The level of risk that exists in the vacuum of a raw environment before any security controls or countermeasures are applied. - Residual Risk: The remaining risk that exists after controls have been implemented. Organizations must decide if this level falls within their tolerance. - Control Risk: The potential that the security measures themselves will fail or malfunction, leading to a loss. - Secondary Risk: New risks that are inadvertently created as a result of implementing a specific control.
Risk Response Strategies Organizations choose a response based on the cost of the control versus the value of the asset. - Mitigation: Deploying controls to reduce the likelihood or impact of a threat (e.g., installing a firewall). - Transference: Sharing the financial burden with a third party, such as purchasing cybersecurity insurance or outsourcing to a provider. - Avoidance: Choosing to exit an activity or decommission a system because the risk is too high to justify the pursuit. - Acceptance: Acknowledging the risk exists and choosing not to take action, usually because the cost of mitigation exceeds the potential loss.
Risk Tolerance and Nuance Risk tolerance (or appetite) is the amount of risk an entity is willing to accept to achieve its goals. - Cost-Benefit Analysis: Security professionals must ensure they don't spend more on a control than the asset is worth (e.g., the "meteor strike" vs. "trillion-dollar cannon" scenario). - Nuance in Assessment: Because resources are finite, teams must prioritize risks based on impact and likelihood rather than attempting to mitigate every possible threat.
Quick recall - Inherent: Risk before controls. - Residual: Risk after controls. - Avoidance: Stop the activity entirely. - Transference: Buy insurance or use a third party. - Register: The master list of all identified threats and owners.