No organization is immune from a cyberattack despite all the security in place. Therefore, knowing that an attack can and will occur, organizations must have in place strategic risk responses that will be implemented in the eventuality of a cyberattack. Organizations use four types of risk response strategies:

• acceptance
• avoidance
• transfer
• mitigation

When a strategy is applied to a specific risk, it is referred to as a risk treatment. Risk treatment is a process or method by which cybersecurity professionals attempt to mitigate a risk by choosing the best strategy that will enhance the organization's survivability after an attack to its critical infrastructure.

Risk acceptance simply means that a strategy when applied to a risk will cost more than to accept the risk itself. Therefore, senior management will be willing to accept the risk rather than mitigate it.

Acceptance has two forms. For opportunity-based risks, an organization accepts the risk in the expectation of a beneficial or profitable outcome. This form of acceptance usually involves a deliberate action (e.g., signature on a memorandum) that authorizes the acceptance of the risk.

For threat-based risks, an organization accepts a risk when the costs of taking action to prevent harm exceed the expected costs of doing nothing. This form of acceptance may be either de facto (through no action) or de jure (formally approved or agreed to by an oversight group).

Risk avoidance simply means that senior management will do or will take steps to prevent a risk from becoming a reality. Avoidance occurs when an organization makes a deliberate decision to avoid the circumstances or situations in which a risk could arise.

For example, after reviewing an opportunity to invest in a new security technology, a venture capitalist could determine that the potential payoff is too low when compared to other uses of the money and decides to not invest in the security technology. Not making the investment is an avoidance strategy. Obviously, senior management can never completely avoid a risk. As long as the network is running, there is always the possibility of a risk.

Risk transfer involves an organization purchasing insurance in order to offset the potential costs and liability of an attack. Transfer is accomplished by transferring responsibility for the outcome of the risk to another organization. Two common types of transfer strategies are insurance and outsourcing. Cyber insurance is purchased to protect an organization from financial losses resulting from cyberattacks. Outsourcing transfers financial responsibility for specific risks as part of a service-level agreement or other form of contract for services.

Risk mitigation means that senior managers take a proactive approach to risk; that is, they will implement safeguards once a potential risk has been identified. Mitigation is the most complex of the four risk management strategies. This strategy requires that organizations identify specific actions, processes, and technologies that can be used to lessen the impact of a risk.

Some mitigation measures focus upon reducing vulnerabilities in assets (e.g., patching software) while others are used to lower the probability of occurrence (e.g., deploying antivirus software to detect and block malware before an infection occurs). Most security controls are intended as risk mitigation measures.

In addition to the four types of risk responses, a cybersecurity professional can also employ defense-in-depth as a risk mitigation. Defense-in-depth risk mitigation is an approach that uses layers of protective measures to reduce the likelihood that a cyberattack will be successful. Commonly used protective measures include:

• antivirus software
• content-filtering software
• encryption
• firewalls and intrusion detection systems
• honeypots (decoy systems and networks)
• strong authentication (e.g., two-factor with biometrics)

References

Bowen, P., Hash, J., & Wilson, M. (2006). NIST special publication 800-100: Information security handbook: A guide for managers. http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf

National Institute of Standards and Technology. (2009, August). NIST special publication 800-53, revision 3: Recommended security controls for federal information systems and organizations. http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

National Institute of Standards and Technology. (2010, February). NIST special publication 800-37, revision 1: Guide for applying the risk management framework to federal information systems: A security life cycle approach. http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

National Institute of Standards and Technology. (2011, March). NIST special publication 800-39: Managing information security risk: Organization, mission, and information system view. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf