Skip to content

Page049

Risk Acceptance Criteria

Low likelihood/low consequence risks are candidates for risk acceptance. High and extreme risks cannot be accepted. There are cases, such as data protected by laws or regulations or risk to human life or safety, where accepting the risk is not an option.

Mitigate the Risk

Mitigating the risk means lowering the risk to an acceptable level. Lowering risk is also called "risk reduction," and the process of lowering risk is also called "reduction analysis." The laptop encryption example given in the "Annualized Loss Expectancy" section above is an example of mitigating the risk. The risk of lost PII due to stolen laptops was mitigated by encrypting the data on the laptops. The risk has not been eliminated entirely: a weak or exposed encryption password could expose the PII, but the risk has been reduced to an acceptable level.

In some cases it is possible to remove the risk entirely: this is called eliminating the risk.

Transfer the Risk

Transferring the risk is sometimes referred to as the "insurance model." Most people do not assume the risk of fire to their house: they pay an insurance company to assume that risk for them. The insurance companies are experts in Risk Analysis: buying risk is their business. If the average yearly monetary risk of fire to 1000 homes is $500,000 ($500/house), and they sell 1000 fire insurance policies for $600/year, they will make 20% profit. That assumes the insurance company has accurately evaluated risk, of course.

Risk Avoidance

A thorough Risk Analysis should be completed before taking on a new project. If the Risk Analysis discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.

The math for this decision is straightforward: calculate the Annualized Loss Expectancy of the new project and compare it with the Return on Investment expected due to the project. If the ALE is higher than the ROI (even after risk mitigation), risk avoidance is the best course. There may also be legal or regulatory reasons that will dictate avoiding the risk.

Learn by Example

Avoiding the Risk

A company sells Apple iPhones online. For security reasons, repeat customers must reenter their credit card numbers for each order. This is done to avoid the risk of storing credit card numbers on an Internet-facing system (where they may be more easily stolen).

Based on customer feedback, the business unit proposes a “save my credit card information” feature for repeat customers. A Risk Analysis of the new feature is conducted once the project is proposed. The business unit also calculates the Return on Investment for this feature.

The Risk Analysis shows that the information security architecture would need significant improvement to securely protect stored credit card information on Internet-facing systems. Doing so would also require more stringent Payment Card Industry (PCI) auditing, adding a considerable amount of staff hours to the Total Cost of Ownership (TCO).

The TCO is over double the ROI of the new feature, once all costs are tallied. The company decides to avoid the risk and not implement the credit card information saving feature.