Posted by: Ed Tittel
Emmett Dulaney's Visual Guide to Risk Management, nice overview of infosec principles of risk management
I may be imagining things, but Emmett Dulaney’s postings over at CertCities.com seem to be one of the few active signs of life left on at that once-vibrant IT certification information clearinghouse (his columns are now the only entries in the What’s New area on the home page, and most other silos show dates no newer than 2010) . If only to prove his continued vitality, you really should bop over to Emmett’s latest posting on the Security+ exam, entitled “A Visual Guide to Risk Management.” There, you’ll find discussion and examples for the five different types of risk management strategies near and dear to the hearts of risk management professionals everywhere, now also explicitly ensconced in the questions for the recently-revised SY0-301 version of the CompTIA Security+ exam:
- risk acceptance: formal acknowledgement that a risk exists, couple with a decision to accept the risk as it stands (which usually means the costs of mitigation exceed the losses that the risk is likely to inflict should it actually occur)
- risk avoidance: this means identifying a particular risk, and choosing no longer perform the actions that invite such a risk. By avoiding risky behavior, in other words, the risk incurred thereby is also avoided.
- risk deterrence: this means responding to the threat of some particular risk by providing deterrent means or messages to let potential malefactors know that if they seek to inflict certain types of attack or damage, you have means to detect and respond to such behavior (Dulaney uses the example of a security camera with a promise to prosecute trespassers).
- risk mitigation: this means taking steps to reduce the risk, often by increasing the strength of defenses against them.
- risk transference: this means offloading some or all of a risk to a third party, many times by purchasing insurance to protect against loss (which also usually requires insureds to take reasonable steps for deterrence and mitigation as well, to qualify for further loss protection).
The best thing about the article is Dulaney’s simple, effective, visual illustrations of these principles, and his use of a neighborhood mailbox to explain each of these principles directly and cogently. Well worth checking out, and even pondering for those who may never wish to pursue the Security+ exam. A nice piece of work!