The choice to do nothing to protect an information asset from risk is called

This chapter discusses how in today’s increasingly competitive business transaction environment, absent an effective intangible asset strategy and risk avoidance, asset value can rapidly “go to zero.” Intangible asset strategists and risk specialists can produce significant benefits to companies by providing greater predictability to business transaction outcomes, projected returns, and exit strategies when intangibles are in play, by addressing their stability, defensibility, and value sustainability; conducting assessments and due diligence to identify and unravel the contributions of intangible assets; reduce the probability that project or transaction momentum will be stifled by recognizing and mitigating circumstances that can entangle the assets in costly and time-consuming legal challenges and undermine asset value and performance; converge a company’s intangible assets with its mission and business objectives; and design and execute organizational contingency plans.

The Five Avenues to Address Risk

The concept of the five avenues to address risk is directly related to the comprehensive risk management approach. It contends that there are five distinct avenues we can follow to address identified risks to assets. Generally, a comprehensive asset protection strategy incorporates a well-thought-out combination of all or most of these avenues. The five avenues are risk avoidance, risk transfer, risk spreading, risk reduction, and risk acceptance (Figure 27-4).

The following diagram illustrates the application of “the five avenues to address risk.” It begins with an initial consideration of risk avoidance then proceeds to three additional avenues of addressing risk (transfer, spreading and reduction). Ideally, these three avenues are employed in concert with one another as part of a comprehensive strategy. Finally, Figure 27-5 shows that any residual risk must be acknowledged and accepted.

Risk avoidance—this is the most direct avenue for dealing with risk. It simply involves removing any opportunity for the risk to cause a loss event. Many security professionals consider risk avoidance impractical—and therefore, essentially irrelevant—since the measures required to completely avoid risk will essentially negate the enterprise’s ability to perform its mission or accomplish its objectives.

Risk spreading—this very effective practice avoids putting “all your eggs in the same basket.” The best example of this is geographically distributing an organization’s assets. If a company maintains an inventory of high-value merchandise, for example, and stored all of it in a single warehouse, the potential loss could be 100% of the merchandise if that warehouse experienced a major loss event (e.g., theft, flood, fire, etc.). If, however, this merchandise were distributed among three geographically separated warehouse facilities, the loss event would result in a potential loss of only about one-third of their total inventory. This simplified example provides an excellent illustration of the concept of risk spreading. Another good example of risk spreading is the practice of off-site backups for computer data. By storing a copy of this highly valuable “asset” in another location, a relatively quick recovery from the loss of original data can be effected. Risk spreading can increase the cost of an operation, but the generally modest costs are usually offset by the decrease in risk to critical assets.

Risk transfer—the typical example of risk transfer is the purchase of insurance. Although not commonly viewed as a part of the traditional “security” function, insurance is generally a key element of an organization’s (or individual’s) risk management strategy. Another form of risk transfer is the act of making oneself a less attractive target than other potential targets (such as neighboring facilities). Although it may not be considered “polite,” this is a way of “transferring” a portion of the risk to a neighbor. In some cases, a portion of risk can be transferred to suppliers, vendors, or others through contract clauses or other types of formal agreements.

Risk reduction—essentially, risk reduction involves any security measures or other actions that would reduce the risk to assets. The most common and direct means of reducing risk, in this sense, are actions that decrease the vulnerability in the risk equation (whereas risk spreading and risk transfer primarily decrease the impact of a loss event). Common risk reduction mechanisms are security measures, policy enforcement, and employee education and awareness, as well as financial and legal positioning.

Risk acceptance—after all risk spreading, risk transfer, and risk reduction measures have been implemented, some risk will remain since it is virtually impossible to eliminate all risk (except as discussed under risk avoidance). This risk is termed “residual risk.” One example of risk acceptance is the setting of shrinkage tolerance levels in the retail industry. In addition, some organizations established a formal process for risk acceptance. For example, the U.S. Department of Defense requires a “Designated Approval Authority” to sign a document indicating that they accept the residual risk in IT (Information Technology) systems under their jurisdiction after they have reviewed the threat and the protective measures in place. In fact, this recommendation is part of the IT System Accreditation Process across all U.S. government agencies.3

Carefully considering the five avenues to address risk is an excellent exercise and can be very effective at helping (protection) professionals and management to think outside the box in terms of multiple approaches to protecting assets.

Risk Management

The principles of risk management can be used to identify effective mitigation strategies. The hierarchy of control holds that the elimination of a hazard (risk avoidance) is the first and most effective method to control a hazard. If the hazard no longer exists, you don’t need to worry about it. Relocating your facility on higher ground further from a river and moving operations to a lower risk area are examples. The hierarchy lists the preferred order of controls, from the most effective to the least effective: elimination, substitution, engineering, and administrative controls are generally the steps followed in the hierarchy.

Substitution involves replacing a hazard with a process that is less hazardous or nonhazardous. A high-technology manufacturer used a chemical that was making its workers sick. The company found a way to produce the product with a less toxic substance and saved many dollars in health costs.

Risk Management Tools

Within the risk management process, and before a final decision is made on risk management measures, the practitioner should consider the following tools (also referred to as “risk treatment”) for dealing with risk:

Risk avoidance: This approach asks if the risk should be avoided. For example, the production of a proposed product is canceled because the danger inherent in the manufacturing process creates a risk that outweighs potential profits. Or, a bank avoids opening a branch in a country subject to political instability or terrorism.

Risk transfer: Risk can be transferred to insurance. The risk manager works with an insurance company to tailor a coverage program for the risk. This approach should not be used in lieu of loss prevention measures but rather to support them. Insurance should be last in a series of defenses. Another method of transferring risk is to lease equipment rather than own it. This transfers the risk of obsolescence.

Risk abatement: In abatement, a risk is decreased through a loss prevention measure. Risks are not eliminated, but the severity of loss is reduced. Sprinklers, for example, reduce losses from fire. Sand bags assist in decreasing erosion (Figure 12-1).

Risk spreading: Potential losses are reduced by spreading the risk among multiple locations. For example, a copy of vital records is stored at a remote, secure location. In another example, following the 9/11 attacks, companies have spread operations among multiple locations to facilitate business continuity.

Risk assumption: In the assumption approach, a company makes itself liable for losses. Not obtaining insurance is an example. This tool may be applied because the chance of loss is minute. Another path, self-insurance, provides for periodic payments to a reserve fund in case of loss. Risk assumption may be the only choice for a company if insurance cannot be obtained. With risk assumption, prevention strategies become essential.

Risk Avoidance

A thorough Risk Analysis should be completed before taking on a new project. If the Risk Analysis discovers high or extreme risks that cannot be easily mitigated, avoiding the risk (and the project) may be the best option.

The math for this decision is straightforward: calculate the Annualized Loss Expectancy of the new project, and compare it with the Return on Investment expected due to the project. If the ALE is higher than the ROI (even after risk mitigation), risk avoidance is the best course. There may also be legal or regulatory reasons that will dictate avoiding the risk.

Learn By Example

Avoiding the Risk

A company sells Apple iPods online. For security reasons, repeat customers must reenter their credit numbers for each order. This is done to avoid the risk of storing credit card numbers on an Internet-facing system (where they may be more easily stolen).

Based on customer feedback, the business unit proposes a “save my credit card information” feature for repeat customers. A Risk Analysis of the new feature is conducted once the project is proposed. The business unit also calculates the Return on Investment for this feature.

The Risk Analysis shows that the information security architecture would need significant improvement to securely protect stored credit card information on Internet-facing systems. Doing so would also require more stringent Payment Card Industry (PCI) auditing, adding a considerable amount of staff hours to the Total Cost of Ownership (TCO).

The TCO is over double the ROI of the new feature, once all costs are tallied. The company decides to avoid the risk and not implement the credit card saving feature.

5.5.8.1 Managing the Risk

The Forensic Laboratory must manage risks and safeguard its operations to effectively protect its information processing systems, its own information, or information entrusted to it by any Clients or other third parties. Part of this is understanding how to treat the risks to those assets appropriately and realizing that risk can never be eliminated but can be reduced to an acceptable level.

Risk treatment options include:

reduce the consequences — by implementing controls to reduce the threats and vulnerabilities or by modifying the assets at risk in some way;

reduce the likelihood of the risk occurring — by implementing controls to treat the threats and vulnerabilities;

retain the risk;

risk avoidance — by deciding not to go ahead with an activity likely to generate risk;

risk transfer — by arranging for another party to bear part or all of the risk, for example, insurers;

sharing the risk with another party or parties.

These options may be used on their own or in association with one or more other options.

When selecting appropriate risk treatment options, the following should be borne in mind:

the current risk treatment in place;

the effectiveness of the treatment in managing risks, if implemented and operated correctly;

the fit of the proposed treatment with the current implemented treatments and architecture;

the identity of the Risk Owner;

the resources needed for implementation and management (i.e., employees, funds, equipment);

the risk treatment needed to reduce risk to an acceptable level.

V.C Planning Risk Avoidance or Reduction

Activities that might avoid the most likely risks occurring can now be planned. Thus the risk that there might be problems caused by the unfamiliarity of the development staff with a certain software tool might be avoided, or at least reduced, by hiring experts in the use of the tool. These risk avoidance/reduction activities would require changes to project plans and would themselves need to be subjected to risk assessment. In the example where certain software tool specialists have been hired, the risk of overreliance on the experts who might then leave might need to be considered.

Risk reduction actions need to be cost effective. To assess whether this is the case, the risk reduction leverage can be calculated as (REbefore − REafter)/(cost of risk reduction), where REbefore is the risk exposure before the risk reduction action and REafter is the risk exposure that will remain after the risk reduction. Both risk exposures are expressed in terms of money. A risk reduction leverage greater than 1.00 indicates that the avoidance/reduction activity is financially worthwhile. Risk reduction activities with values above but still close to 1.00 would need to be considered very carefully.

Types of risk mitigation strategies

•

Risk acceptance is a strategy in which the company accepts the potential consequences of a given risk. The company chooses to do nothing to avoid, limit, or transfer the risk. Acceptance usually has a very low cost associated with managing the risk (or zero cost), but can have a very high cost in the aftermath of a disruption.

Risk avoidance is a strategy in which the risk is completely avoided. This might include shutting down critical systems and moving them in advance of a hurricane. Avoidance takes the risk to zero but often has a high cost associated with it. Therefore, the cost of managing the risk is very high but the cost of recovery is very low.

Risk limitation is a strategy that falls in between acceptance and avoidance. Most companies choose a risk limitation strategy, especially for IT systems where complete acceptance or avoidance is too costly on either side of a disruption. Steps such as secure, off-site backups can go a long way in reducing various organizations risks without being too expensive in implementation or recovery phases.

Risk transference is where the exposure to the risk is transferred to a third party, usually as part of a financial transaction. Purchasing insurance is the most common risk transference method, though others exist.

Which risk management strategy seeks to prevent the risk from actually occurring?

Which risk treatment strategy approach can also be referred to as an avoidance strategy?

Is the risk control strategy that attempts to prevent the exploitation of a vulnerability?

Which risk treatment strategy focuses on planning and preparation to reduce the impact or potential consequences of an incident or disaster?