Chapter 112 · Flashcards

Risk Management Strategies — Flashcards

Eleven cards covering all six risk response strategies, cybersecurity insurance as risk transfer, exemption vs. exception distinction, risk avoidance trade-offs, mitigation as the most common strategy, risk reporting audience and content, critical vs. emerging risks, and strategy comparison. Click any card to flip it.

What are the six risk management strategies, and which is the only one that completely eliminates risk?

Six strategies for responding to identified risk: (1) Transfer: shift financial consequences to another party (insurance, outsourcing). Threat remains. (2) Accept: deliberately tolerate the risk without additional controls. Documented decision. (3) Accept with Exemption: policy cannot be applied to this situation; formal documented exception. (4) Accept with Exception: temporary deviation from policy due to specific operational conflict. (5) Avoid: stop the activity creating the risk. ONLY strategy that completely eliminates risk. (6) Mitigate: implement controls to reduce likelihood or impact. Risk lowered but not eliminated. Most common: Mitigation (most risks cannot be avoided without operational impact). Strongest risk reduction: Avoidance (risk is gone completely, but may limit business operations). Exam tip: if a question says the risk was "completely eliminated" or "removed," the answer is avoidance.

How does risk transfer work, and what does cybersecurity insurance cover?

Risk transfer: shifts financial responsibility for a risk to another party. The organization still faces the underlying threat, but another entity bears the financial consequences if realized. Cybersecurity insurance coverage typically includes: data recovery costs, legal expenses, regulatory fines, ransomware negotiation and payments, breach notification costs (notifications to regulators and individuals), business interruption losses, crisis communications and PR costs. Limitations of transfer: (1) Does not prevent the incident. (2) Organization still suffers operational disruption, reputation damage, regulatory scrutiny. (3) Insurers may deny claims if minimum security controls were not implemented. (4) Premium costs increase after claims. Other transfer mechanisms: outsourcing payment processing (PCI DSS risk shifts to processor), cloud service agreements, vendor contracts with indemnification. Key exam point: risk transfer is not the same as risk elimination. The threat persists; only the financial consequences shift.

What is risk acceptance, and when is it appropriate?

Risk acceptance: a deliberate, documented decision to tolerate a risk without implementing additional controls. The most common risk management decision because organizations face more risks than they can fully mitigate. When appropriate: (1) The cost of mitigation exceeds the potential damage from the risk being realized. (2) The risk level is already within the organization's stated risk appetite. (3) The risk is low-likelihood and low-impact relative to other priorities. Requirements for proper acceptance: must be documented (not an informal assumption); must be reviewed periodically (circumstances change); must include the residual risk level and what would trigger re-evaluation. Common examples: accepting that old network hardware may fail because replacement costs exceed the risk; accepting minor vulnerabilities in low-criticality systems where patching creates operational disruption. Exam trap: "The organization decided to do nothing about the risk" — this could be acceptance (if documented) or negligence (if not documented). Proper acceptance requires a documented decision, not inaction.

What is the difference between an exemption and an exception in risk management?

Exemption: the security policy or regulation cannot be applied to a specific situation due to practical limitations. Typically longer-term or permanent. Requires formal management approval. Exemption example: Industrial equipment running an OS the vendor does not support patching. The monthly patch policy cannot be applied without voiding warranty or damaging equipment. Compensating controls are implemented instead (network isolation). Exception: the security policy could be applied but creates a specific, temporary operational conflict. Shorter-term; policy will eventually be re-applied. Exception example: Monthly patches cause the ERP system to crash. An exception allows delayed patching for two weeks until the vendor resolves the incompatibility. The policy remains valid for all other systems. Key test: Can the policy ever be applied to this situation? No = exemption. Yes, but not right now = exception. Both require: formal documentation, management approval, compensating controls, and periodic review. Neither is an informal workaround.

What is risk avoidance, when is it used, and what are its trade-offs?

Risk avoidance: eliminates risk entirely by stopping the activity that creates it. The only strategy that fully removes rather than reducing or managing a risk. How it works: the organization discontinues the risky activity, retires the vulnerable system, or declines to enter the risky business area. With no activity, there is no risk. Examples: Retiring an unpatched legacy application (eliminates vulnerability). Refusing to use a high-risk vendor (eliminates supply chain risk from that vendor). Disabling unused network services (eliminates attack surface). Deciding not to store payment card data (eliminates PCI DSS scope). Trade-offs (the cost of avoidance): reduced functionality, limited operational capability, missed business opportunities. A company that avoids all cloud services eliminates cloud risk but loses scalability, cost efficiency, and competitive advantages. When most appropriate: when the risk level is unacceptable, mitigation is insufficient or too costly, and the lost functionality can be compensated elsewhere. Avoidance should be a deliberate decision, not an oversight.

What is risk mitigation, and why is it the most commonly used strategy?

Risk mitigation: reduces the likelihood or impact of a threat through security controls without completely eliminating the threat or stopping the underlying activity. Why most common: organizations must continue operating in environments where complete risk avoidance is not feasible. You cannot avoid internet connectivity and operate a modern business. Mitigation allows continued operation while reducing risk to acceptable levels. Mitigation controls: firewalls (reduce likelihood of network attacks), MFA (reduce credential theft impact), encryption (reduce impact of data breach), patching (reduce exploitability), network segmentation (limit blast radius), endpoint security, security awareness training, IDS/IPS. What mitigation does NOT do: eliminate the threat. A firewall blocks many attacks but does not eliminate all internet risk. A mitigated risk may still be realized — mitigation reduces probability and/or impact, not to zero. Exam distinction: if controls reduce risk but the threat still exists = mitigation. If the threat is completely gone = avoidance.

What is risk reporting, who is the audience, and what must it include?

Risk reporting: formal communication of identified risks, their status, and recommended actions to organizational leadership. Primary audience: senior management, executive leadership, board of directors, compliance teams — people with decision-making authority who may lack deep technical security expertise. Required content: (1) Identified risks described in business impact terms (not just technical CVE references). (2) Likelihood and impact ratings (qualitative descriptors or quantitative ALE values). (3) Current mitigation status (what controls are in place and their effectiveness). (4) Recommended actions (specific investment recommendations with cost-benefit rationale). (5) Critical and emerging risks (highest severity and newly identified threats). Purpose: enable executive decision-making about budget allocation, risk acceptance, security priorities, and resource deployment. Without clear risk reporting, executives cannot make informed security investment decisions. Format consideration: translate technical findings into business impact language that non-technical decision-makers can act on.

What are critical risks vs. emerging risks in a risk report?

Risk reports emphasize two special categories: Critical risks: risks with the highest severity that require executive awareness and potential resource commitment. These may already be under mitigation but are important enough that leadership must be informed. Characteristics: high likelihood + high impact; regulatory exposure; potential for catastrophic business disruption. Critical risks require prioritized mitigation investment and board-level oversight. Emerging risks: newly identified risks that have not yet been fully assessed or addressed. Represent unknown quantities not yet under control. Sources: new attack techniques discovered by threat intelligence, regulatory changes creating new compliance obligations, supply chain changes introducing new vendor risk, technology deployments creating new attack surfaces. Why both matter to leadership: critical risks require resource commitment to maintain control. Emerging risks require budget and attention to get under control before they become critical. Together they represent the forward-looking security agenda. Exam point: risk reports always include emerging risks — withholding them from leadership prevents informed decision-making.

How do you classify a risk management scenario: key questions and indicators?

When a scenario describes a risk response, classify it using these indicators: Transfer: money moves to another party (insurance payout, vendor contract indemnification). Threat still exists. Accept: organization decides to do nothing additional; documented decision within risk appetite. Exemption: "the policy cannot be applied because..." (permanent or long-term barrier). Compensating controls documented. Exception: "temporarily not following the policy because..." (short-term operational conflict; will comply once resolved). Avoid: the risky activity STOPS entirely. Application retired, service disabled, vendor dropped, market not entered. Risk fully removed. Mitigate: controls ADDED to reduce risk. Firewall installed, MFA enabled, patches applied, encryption deployed. Threat still exists but risk is reduced. Trick questions: "The organization bought insurance AND implemented MFA" = transfer + mitigation simultaneously (multiple strategies can be used). "The organization accepted the risk by doing nothing" = may be acceptance or negligence depending on whether it was documented.

What is the relationship between risk mitigation and the ALE calculation?

Mitigation changes the quantitative risk calculation: Before mitigation: ALE = ARO × SLE. Example: 10 breaches/year × $5,000/breach = $50,000/year ALE. After mitigation: mitigation either reduces ARO (makes incidents less likely) or reduces EF/SLE (reduces impact per incident). New ALE reflects the mitigated risk. Investment justification formula: Net benefit = (ALE before − ALE after) − annual cost of control. If net benefit is positive, the control is cost-justified. Example: IDS implementation costs $8,000/year and reduces breach ARO from 10 to 3. New ALE = 3 × $5,000 = $15,000. ALE reduction = $50,000 − $15,000 = $35,000. Net benefit = $35,000 − $8,000 = $27,000/year. Control is justified. What mitigation does NOT do in the formula: it does not make ALE = $0 (only avoidance would bring ALE to zero). Mitigation reduces ALE; avoidance eliminates it. The quantitative comparison between mitigation cost and ALE reduction is the core of evidence-based security budget justification.

Can multiple risk management strategies be applied simultaneously to the same risk?

Yes. Organizations frequently apply multiple risk management strategies to the same risk simultaneously. Common combinations: Transfer + Mitigate: implement security controls to reduce the risk AND purchase cyber insurance to cover residual financial exposure. Most mature organizations use both. Accept + Mitigate: implement mitigation controls and formally accept the residual risk that remains after controls are applied. Mitigate + Exception: implement compensating controls (mitigation) while a temporary policy exception is in force. Avoid + Transfer: stop a risky activity (avoidance) and purchase insurance to cover the transition period risk. Why combinations matter: no single strategy addresses all dimensions of a risk. Mitigation reduces likelihood and impact. Insurance covers financial residual risk. Acceptance documents what residual risk the organization is willing to tolerate. Together they create a layered risk response. Exam approach: if a scenario describes multiple actions (controls AND insurance, controls AND exception), identify all strategies present rather than selecting only one.