Under Risk Management Plan, differentiate between the following terms: i) Risk avoidance ii) Risk transfer iii) Risk mitigation iv) Risk acceptance v) Residual risk

i) Risk Avoidance
Risk Avoidance is the practice of removing the vulnerable aspect of the system or even the system itself altogether. For instance, during a risk assessment, a website was uncovered that let vendors view their invoices, using a vendor ID embedded in the HTML file name as the identification and no authentication or authorization per vendor was in place. When notified about the web pages and the risk to the organization, management decided to remove the web pages and provided vendor invoices via another mechanism. In this case, the risk was avoided by removing the vulnerable web pages.

ii) Risk Transference
Risk Transference is the process of allowing another party to accept the risk on your behalf. This is not widely done for IT systems, but everyone does it all the time in their personal lives. Car, health and life insurance are all ways to transfer risk. In these cases, risk is transferred from the individual to a pool of insurance holders, including the insurance company. Note that this does not decrease the likelihood or fix any flaws, but it does reduce the overall impact (primarily financial burden) on the organization or an individual.

iii) Risk Mitigation
Risk Mitigation is the most commonly considered risk management strategy. Mitigation involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw. A common mitigation for a technical security flaw is to install a patch provided by the vendor , patching an OS or hardware drivers. Sometimes the process of determining mitigation strategies is called control analysis. Although, installing a firewall on a computer can reduce the risk of being attacked. But the firewall could be wrongly configured and opening up new vulnerabilities which then could be exploited. Or the firewall – although correctly installed and configured – could not be running and therefore not protecting our asset at all.
Therefore, it is important to always be aware that reducing risk does not mean that it has to go away.
Furthermore, it is also important to always be aware that installing safeguards can open new vulnerabilities or not protect from the vulnerability in the first hand, in the case of misconfigured
NAC ad firewall
.
iv) Risk Acceptance
Risk Acceptance is the practice of simply allowing the system to operate with a known risk. Many low risks are simply accepted. Risks that have an extremely high cost to mitigate are also often accepted.
Beware of high risks being accepted by the management. Ensure that this strategy is in writing and accepted by the manager(s) making the decision. Often risks are accepted that should not have been accepted, and then when the penetration (compromise) occurs, the IT security personnel are held responsible. Typically, business managers, not IT security personnel, are the ones authorized to accept risk on behalf of an organization.

v) Residual Risk
When managing risk, your main goal is to remove or lower risk. Residual risk is the risk which could not be removed (or which was accepted). It is important to stress again that having residual risk is nothing bad but actually the basis of the risk management process. It is normally too cost intensive to minimize every single risk and there is no need to mitigate risk which does not hurt a company.
Managing the residual risk is what the whole risk management process is about: Deciding on which risk to take, which to remove and, finally what to do with the residual risk. However, it is very much crucial that when talking about residual risk, it is important to write down when and how the residual risk was accepted – and to have the board signs that piece of paper so that there exist some evidence when something bad happens in the future.

---

lydiajane74 answered the question on May 13, 2018 at 23:16