Risk Control Strategies

The four basic risk strategies for risk control resulting from vulnerabilities are:-

1. Avoidance which includes placing controls in place to prevent or reduce the occurrence of risk. This is the most preferred approach as it deals with avoiding the risk rather than methods to deal with it. This is accomplished using technology safeguards and controls that minimize risk to an acceptable level, use of sound policies to remove vulnerabilities in assets, and educating, training and creating awareness amongst employees on all aspects of information security.
This is adopted to reduce the risks to an acceptable level within the organization and for vulnerabilities that which if exploited threat to impact the business continuity and day to day operations of the organization. It is very important to avoid those vulnerabilities that impact the culture and foundation of the organization like risk of personal and credit card data in online warehouses like Amazon.

2. Mitigation involves measures to reduce the impact of risk. This involves creating policies and procedures for responding to incidents, and plan for restoring operations of the company in case of disasters and the action the company would take should an attack or breach occurs. The three main mitigation plans are:
Incident response plan: This includes procedures for responding to any security incident. Includes reporting structure and escalation procedures for critical incidents
Business continuity plan: This includes plan for restoring business normal modes of operating incurring minimum costs and disruption to business activities following a disaster event.
Disaster recovery plan: This includes plans and procedures for locating lost data and restoring lost services due to attack or disruption
These controls are adapted to when an incident has already taken place. Mitigations involves controls that aim to reduce losses to a minimum level and steps to restore business operations in case of interruption and disaster

3. Transference involves transferring or shifting risk to another entity, process or organization. The most common transference strategies involve outsourcing and purchasing controls. It may also include alternate deployment of controls, using different applications etc
This is involved where the cost of implementing or developing risk control within organization exceeds the cost by which benefits can be procured through outsourcing or insurance. This is used when organization do not have enough resources in house proficient in risk management and is accomplished by hiring firms\individuals as third party contractors proficient in risk management implementation and control and transfer management of complex systems to them

4. Acceptance refers to making no attempts to protect the assets and accept loss if it occurs. It is the absence of any control in place to safeguard the business and the organization from the exploitation of vulnerabilities
This should be resorted to only after a thorough feasibility analysis of risk level, probability of occurrence and potential impact on the assets ensures that the cost and benefit of implementing a control far exceeds the cost of placing any control in place.