Risk Mitigation as a process

Risk mitigation, another process of risk management, involves prioritizing, evaluating, and implementing the suitable risk-reducing controls suggested from the risk assessment process. Since the elimination of all risk is typically impractical or close to impossible, it is the obligation of senior management and functional and business managers of software companies in India to practice the least-cost approach and implement the most appropriate controls to shrink mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.

RISK MITIGATION OPTIONS

Risk mitigation is an organized methodology used by senior management to shrink mission risk. Risk mitigation can be accomplished via any of the following risk mitigation options:

Risk Assumption

To accept the probable risk and continue operating the IT system or to implement controls to lower the risk to an satisfactory level

Risk Avoidance

To avoid the risk by eradicating the risk cause and/or consequence (e.g., forgo specific functions of the system or shut down the system when risks are acknowledged)

Risk Limitation

To limit the risk by implementing controls that minimize the opposing impact of a threat’s working out a vulnerability (e.g., use of supporting, preventive, detective controls)

Risk Planning

To manage risk by developing a risk mitigation plan that ranks, implements, and maintains controls

Research and Acknowledgment

To lower the risk of loss by recognizing the vulnerability or defect and researching controls to correct the vulnerability

Risk Transference

To handover the risk by using other options to reimburse for the loss, such as purchasing insurance.

The goals and mission of an organization should be reflected in selecting any of these risk mitigation options. It may not be practical to tackle all identified risks, so importance should be given to the threat and vulnerability pairs that have the potential to source significant mission impact or harm. Also, in defending an organization’s mission and its IT systems, because of each organization’s distinctive environment and objectives, the alternative used to mitigate the risk and the methods used to implement controls may differ. The “best of breed” tactic is to use suitable technologies from among the several vendor security products, along with the suitable risk mitigation option and nontechnical, administrative measures.

Following are rules of thumb, which provide guidance on actions to mitigate risks from deliberate human threats:

When vulnerability (or defect, weakness) exists

 ➞ Implement assurance techniques to diminish the likelihood of a vulnerability’s being exercised.

When a vulnerability can be exercised

➞ put on layered protections, architectural designs, and administrative controls to reduce the risk of or prevent this incidence.

When the attacker’s cost is a smaller amount than the possible gain

➞ apply protections to decrease an attacker’s incentive by increasing the attacker’s cost (e.g., use of system controls such as restraining what a system user can access and do can considerably reduce an attacker’s gain).

When loss is too excessive

➞ apply design principles, architectural designs, and technical and nontechnical shields to limit the range of the attack, thereby reducing the likely for loss.

The strategy sketched above, with the exclusion of the third list item (“When the attacker’s cost is a smaller amount than the possible gain”), also applies to the mitigation of risks rising from environmental or unintended human threats (e.g., system or user errors). Because there is no “attacker,” no motivation or gain is involved. Software companies in India have started believing in risk mitigation process and it has proved to be a drastic risk reducing and controlling factor for them.