Risk Management Strategies

Risk avoidance is applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability. Risk avoidance can be achieved through training and education, and implementing technical security controls and safeguards. It can also be achieved through the use of policies. Risk avoidance identifies as many threats or vulnerabilities as possible and implement strategies to mitigate those threats, reducing the impact of an attack.

Risk transference is the shifting the risk to other areas or to outside entities. The overall goal is to allow someone else accept the risk. When looking at ways to transfer risk, I would evaluate things such as services. Many services can be outsources such as application services and IT services. An outside organization may be able to offer an experience in a certain areas to your organization that you simply cannot fill. Hiring an outside organization is transferring the risk to them for that development.

Risk acceptance understands the consequences and accepts the risk without control or mitigation. It is impossible to eliminate risk, so therefore analyze the level of risk to the information. You also have to evaluate the probability of an attack verses the likelihood that that vulnerability will be exploited. Another way risk can be analyzed for risk acceptance is through evaluating the controls that are in place and ensuring that there are strong justifications for risk acceptance.