Page 178 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 178

and a larger example is to move to an inland location to avoid the risks
               from hurricanes.

               Risk Assignment Assigning risk or transferring risk is the

               placement of the cost of loss a risk represents onto another entity or
               organization. Purchasing insurance and outsourcing are common
               forms of assigning or transferring risk.

               Risk Acceptance Accepting risk, risk tolerance, or acceptance of risk
               is the result after a cost/benefit analysis shows countermeasure costs
               would outweigh the possible cost of loss due to a risk. It also means
               that management has agreed to accept the consequences and the loss

               if the risk is realized. In most cases, accepting risk requires a clearly
               written statement that indicates why a safeguard was not
               implemented, who is responsible for the decision, and who will be
               responsible for the loss if the risk is realized, usually in the form of a
               sign-off letter. An organization’s decision to accept risk is based on its

               risk tolerance. This is also known as risk tolerance or risk appetite
               which is the ability of an organization to absorb the losses associated
               with realized risks.

               Risk Deterrence Risk deterrence is the process of implementing
               deterrents to would-be violators of security and policy. Some examples
               include implementation of auditing, security cameras, security guards,
               instructional signage, warning banners, motion detectors, strong

               authentication, and making it known that the organization is willing to
               cooperate with authorities and prosecute those who participate in
               cybercrime.

               Risk Avoidance Risk avoidance is the process of selecting alternate
               options or activities that have less associated risk than the default,
               common, expedient, or cheap option. For example, choosing to fly to a
               destination instead of driving to it is a form of risk avoidance. Another

               example is to locate a business in Arizona instead of Florida to avoid
               hurricanes.

               Risk Rejection A final but unacceptable possible response to risk is
               to reject risk or ignore risk. Denying that a risk exists and hoping that
               it will never be realized are not valid or prudent due-care responses to
               risk.
   173   174   175   176   177   178   179   180   181   182   183