I was recently on the Security Catalyst Forums (HERE), where I was reminded of this quote from the lyrics of the song “Free Will” by the Canadian rock group, Rush (HERE):

“If you choose not to decide, you still have made a choice.”

This statement can be applied to a lot of different situations and philosophies. However, I think it is particularly relevant in the world of Risk Management.

In Risk Management, there are generally said to be the following choices for addressing an identified risk:

  1. Avoid the risk - meaning you change the entire scope of your system so that the particular risk is no longer relevant. You actually go so far out of the way that there is no likelihood of a threat event happening. For example, if you don’t want to die from a volcanic eruption, you could make sure that your home is nowhere near any volcanoes; maybe the eastern part of North America?
  2. Transfer the risk - meaning you get someone else to absorb the consequences of a threat event happening. The most common method of risk transferral is “insurance”. We pay a premium on an ongoing basis so that we do not have a major financial impact if our house burns down, our car is written off, or our family wage earner dies or becomes disabled.
  3. Reduce the risk - meaning you put a “safeguard” in place that either reduces the likelihood of a threat event happening, or reduces the impact if the threat event is realized. For example, we wear a helmet when playing sports to reduce the damage caused in the event that our head hits something hard (not unlikely). Or we use headlights when we drive at night so that we reduce the chances of running into another vehicle or obstacle.
  4. Accept the risk - meaning that we will do nothing further to address the risk. When we fly on a commercial airliner, there is not much we can do (in addition to what the airline and government have done) to reduce the likelihood or impact of an accident. We accept that there is a small risk remaining even after all the safeguards are in place. (The risk remaining after putting safeguards in place is called the “Residual Risk”.)
  5. Ignore the risk - meaning that we don’t even consider whether there is a risk or not. Some people argue that this is merely a special case of accepting the risk; where we deem the risk so small as to be not important. Thus, the quoted lyrics “If you choose not to decide, you still have made a choice.” And for any organization of significant size, this is not usually seen as being a responsible choice for how to deal with all risks. (If a thorough Threat and Risk Assessment has been done, then lower priority risks are usually accepted. This is not the same as ignoring risk altogether.)

The first step in deciding on what security safeguards to implement is usually to do a Threat and Risk Assessment (TRA). This can tell you, within the defined scope of a system being analyzed, what the most significant risks are that should be addressed. But even before doing a TRA, an organization needs to look at it’s own “Risk Profile”.

The Risk Profile is important because it provides guidance for the TRA in defining what level of risk is acceptable to the organization. It can be done without consideration for any particular system under development. It is an attribute of the organization, not of the system. Once the Risk Profile is defined for an organization, a “Target Level of Residual Risk” can be defined for a system. This way, a TRA can make recommendations about what safeguards are recommended to achieve the target Residual Risk so the organization can stay within its Risk Profile.

The point of all this analysis is to allow you to prioritize the security safeguards that fit within your budget. Nobody ever has enough money to address “all” risks. So, you have to prioritize, starting with the biggest risks. There is really no point in starting anywhere else. By definition, the biggest risk is the thing you are in the greatest danger from. So, there’s no excuse for being paralyzed into doing nothing.

TRAs can be done using many different methodologies. In fact, this video clip on You Tube (click HERE) could be considered to be a kind of TRA on Global Warming. Please have a look.