Domain 5 · 5.2 Risk Management

5.2.4 Risk Management Strategies

Transfer, accept, avoid, mitigate.

10 min

Risk management strategies are the coordinated actions an organization takes to address identified threats by balancing the cost of security controls against the value of protected assets.

Core Risk Management Strategies - Mitigation: The most common approach, where security controls are implemented to reduce either the likelihood of a threat or its potential impact. Examples include installing firewalls or implementing MFA. - Transference: Shifting the financial burden or responsibility of a risk to a third party. The most common exam example is purchasing cybersecurity insurance or outsourcing hazardous operations to a specialized vendor. - Avoidance: Choosing to bypass an activity or retire an asset because the risk is deemed too high to manage. This involves a fundamental change in business practice, such as refusing to store credit card data to avoid PCI compliance risks. - Acceptance: A conscious decision to take no further action against a risk, usually because the cost of additional controls outweighs the value of the asset or the potential loss. This occurs after some mitigation has already been applied.

Key Risk Terminologies - Inherent Risk: The total level of risk present before any security controls or countermeasures have been implemented. - Residual Risk: The amount of threat that remains after all mitigation, transference, and avoidance efforts are complete. This is the risk that is ultimately accepted. - Control Risk: The probability that the internal security measures themselves will fail or malfunction, potentially leading to a loss. - Control Assessment: The process of inspecting and judging the quality of security measures, often performed by a third party to ensure objectivity.

Qualitative vs. Quantitative Assessment - Quantitative: A data-driven approach using objective numerical values (e.g., dollar amounts). It can be difficult if data is incomplete or if the math relies on subjective guesses. - Qualitative: A scenario-based approach that uses descriptive rankings (e.g., Low, Medium, High). This is often preferred when asset values or threat frequencies are difficult to measure in exact currency.

Quick recall - Mitigate: Reduce risk using technology or policy. - Transfer: Share risk with insurance or a third party. - Avoid: Stop the risky activity entirely. - Accept: Do nothing more because it isn't cost-effective. - Trigger: If a question mentions "insurance," the answer is Transference. - Trigger: If a question mentions "cost-benefit analysis," the answer often relates to Acceptance.