Chapter 4: Risk Management: Treating Risk

Risk treatment (risk response/risk control)

The process of addressing unacceptable levels of risk (those exceeding the organization’s risk appetite) through strategies such as mitigation, transference, acceptance, or termination.

Four basic risk treatment strategies

The main approaches for handling risk: mitigation (reduce), transference (shift), acceptance (tolerate), and termination (eliminate).

Risk mitigation (defense strategy)

Applying policies, training, and technical safeguards to eliminate or reduce risk by lowering the likelihood or impact of attacks.

Risk transference

Shifting risk to other entities (e.g., insurers, contractors, managed security providers) through outsourcing or formal agreements.

Risk acceptance

Choosing to live with residual risk when mitigation or controls are not cost-justified, based on a formal, informed business decision.

Risk termination (avoidance)

Removing an information asset from service to eliminate all associated risk; a deliberate decision rather than neglect.

Residual risk

The remaining risk after controls are implemented; cannot be fully eliminated if the asset remains active.

Process communications

Ongoing feedback between the governance group, RM framework team, and RM process team to ensure coordination and continuous improvement.

Process monitoring and review

Measuring performance, collecting data, and reviewing feedback to refine the RM process and ensure controls are effective.

Contingency planning (CP) mitigation

The planning and preparation to reduce damage from incidents or disasters when preventive controls fail (IR, DR, BC, CM plans).

Incident response (IR) plan

Defines immediate actions during an incident (e.g., data breach), focusing on detection, containment, and recovery.

Disaster recovery (DR) plan

Outlines short-term recovery procedures to restore IT systems and data after a disaster.

Business continuity (BC) plan

Ensures long-term continuation of critical business functions if a major disruption exceeds DR capabilities.

Crisis management (CM) plan

Protects personnel and manages communications and safety during incidents or disasters.

Risk appetite

The level and type of risk an organization is willing to accept while pursuing its objectives.

Residual risk vs risk appetite

The goal is to reduce residual risk to align with the organization’s documented risk appetite—not to eliminate risk entirely.

Cost–benefit analysis (CBA)

Formal comparison of control costs against potential benefits or loss reductions to determine if a safeguard is justified.

Single loss expectancy (SLE)

Expected monetary loss from one occurrence: SLE = Asset Value × Exposure Factor.

Annualized rate of occurrence (ARO)

Likelihood or frequency of a specific threat event occurring per year.

Annualized loss expectancy (ALE)

Expected yearly loss from a specific threat: ALE = SLE × ARO.

Economic feasibility

Evaluates whether implementing a security control is financially justified based on expected benefits.

Qualitative valuation

Uses descriptive labels (e.g., high, medium, low) instead of numeric values to estimate likelihood or impact.

Hybrid valuation

Combines qualitative scales with numeric ranges for a more precise yet flexible approach.

Delphi technique

A collaborative, iterative process where experts anonymously rate or rank risks until consensus is reached.

Organizational feasibility

Measures whether a control aligns with the organization’s strategic goals and direction.

Operational feasibility

Measures how well a control fits organizational culture and user acceptance; relies on communication, education, and involvement.

Technical feasibility

Evaluates if the organization has the necessary infrastructure, software, and skills to implement a proposed control.

Political feasibility

Assesses whether proposed solutions fit within the organization’s political and resource environment.

Benchmarking

Comparing processes or performance against internal baselines or external best practices to identify improvements.

Due care

Meeting the minimum reasonable level of security expected for similar organizations under similar circumstances.

Due diligence

The ongoing maintenance and monitoring of controls to ensure due care standards remain met.

Best business practices

Industry-recognized methods that balance usability and protection effectively.

Gold standard

The highest level of cybersecurity excellence; setting the benchmark for an industry.

Government recommendations and standards

Authoritative frameworks (e.g., NIST, ISO) that guide organizations on best cybersecurity and RM practices.

OCTAVE methodology

Carnegie Mellon’s risk evaluation approach balancing asset protection with cost; includes OCTAVE, OCTAVE-S, and OCTAVE-Allegro versions.

FAIR framework

Factor Analysis of Information Risk—a quantitative model for assessing information risk using defined steps and terminology.

ISO 27005

Standard focusing on the information security risk management process.

ISO 31000

General RM standard providing risk management principles, frameworks, and processes applicable to all risk types.

NIST RMF

Seven-step framework integrating RM into system lifecycles: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

NIST RMF tiers

Three organizational levels: governance (strategic), business processes (tactical), and information systems (operational).

MITRE RM model

Four-step process: identify risk, assess impact, prioritize, and plan/monitor mitigation.

ENISA RM model

EU agency model emphasizing identification, assessment, treatment, and monitoring; provides online RM tool comparisons.

IsecT methodology

New Zealand consultancy offering ISO 27001-aligned RM resources and methods via iso27001security.com.

Selecting an RM model

Organizations should review available models, identify best-fit practices, and adapt them rather than striving for perfection.

“Perfect is the enemy of the good”

Encourages implementing good, timely security rather than delaying for unattainable perfection.

Consultant use in RM

Organizations may hire experts to develop or customize proprietary RM models suited to their needs.

Risk treatment practices

Controls often affect multiple threat–vulnerability–asset combinations; decisions should consider shared benefits and overall ALE changes.

Feasibility types in RM

Four main types: organizational, operational, technical, and political feasibility—all impact the success of risk treatment strategies.

Total cost of ownership (TCO)

The total direct and indirect costs over an asset’s lifecycle—development, operation, protection, and disposal.

Economic cost avoidance

The savings realized from preventing incidents through proactive control implementation.

Risk treatment cycle

The continuous process of assessing, treating, monitoring, and improving controls and strategies.

Residual risk reestimation

The process of calculating new residual risk after applying controls and comparing it against risk appetite.

Risk management models

Examples include OCTAVE, FAIR, ISO 27005/31000, and NIST RMF—each provides structured approaches to managing cyber risk.

“Good security now is better than perfect security never”

The practical principle emphasizing timely implementation of reasonable protection over indefinite pursuit of perfection.