Using both risk control levers

If you define risk as a possible scenario involving loss, you will come to see two aspects of risk:

  1. How probable it is that an event will occur
  2. How bad you would have to pay if it did

This gives you two levers for risk control: likelihood, and impact.

You can reduce the likelihood of an event occurring. And you can reduce the impact of that event, if it were to occur.

They are both important parts of a good security program.

The first lever is "Prevent".

Sometimes, you can bring likelihood all the way to zero. For example, you can choose to not store sensitive user information. This is the decision to avoid risk.

Or you can reduce the likelihood by an order of magnitude. You can give a third-party responsibility for protecting a given data set. This is transferring risk.

In both cases, you are trying to prevent something bad from happening.

The second lever is "Prepare".

When you put in place a control to help you detect or recover from an issue, you are controlling the impact.

For example, you could use a service to watch the status of your website, and alert you if it goes down. This won't prevent the website to go down, but it will reduce the downtime.

A solid backup program eliminates most of the impact of ransomware.

In any case, discussions about control selection should be nuanced. Remember to consider different view points when listing pros and cons.

The unique perspectives that your team members will contribute might surprise you.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.