Risk Responses


               The results of risk analysis are many:

                    Complete and detailed valuation of all assets

                    An exhaustive list of all threats and risks, rate of occurrence, and
                    extent of loss if realized

                    A list of threat-specific safeguards and countermeasures that
                    identifies their effectiveness and ALE

                    A cost/benefit analysis of each safeguard

               This information is essential for management to make educated,

               intelligent decisions about safeguard implementation and security
               policy alterations.

               Once the risk analysis is complete, management must address each
               specific risk. There are several possible responses to risk:

                    Reduce or mitigate

                    Assign or transfer

                    Accept

                    Deter


                    Avoid

                    Reject or ignore

               You need to know the following information about the possible risk
               responses:

               Risk Mitigation Reducing risk, or risk mitigation, is the
               implementation of safeguards and countermeasures to eliminate
               vulnerabilities or block threats. Picking the most cost-effective or

               beneficial countermeasure is part of risk management, but it is not an
               element of risk assessment. In fact, countermeasure selection is a
               post-risk-assessment or post-risk-analysis activity. Another potential
               variation of risk mitigation is risk avoidance. The risk is avoided by
               eliminating the risk cause. A simple example is removing the File
               Transfer Protocol (FTP) protocol from a server to avoid FTP attacks,