Understanding Risk Responses With Redback Spider
Core CISSP Exam Concept
Risk is everywhere.
Being single is a risk of loneliness and depression. Being in a live-in relationship is a risk of an uncertain future. Being married is a risk of missing bachelorhood.
You can never eliminate the risk. You can reduce it to the accepted level.
Australia is the most common country in the top 10 list of deadliest animals: White Shark, Tiger Snake, Stonefish, Box Jellyfish, and Saltwater Crocodile. I will focus on the Redback spider for the sake of this article.
Understanding risk responses is one of the most critical CISSP concepts you will ever learn. You are already applying risk responses in your day-to-day life.
Please shut down your logical reasoning mind and gender-biasing for five minutes. The below analogies are elaborated to explain the concept with humour. Not to make literal sense.
Let’s Hike
You are on your favourite hiking track with your girlfriend. The circuit is 7km with medium to high difficulty levels.
1. Risk Mitigation
Risk reduction is a choice you want to go ahead despite the danger. However, you will take precautions to keep Redback Spider away, such as carrying an emergency first-aid kit and ice pack and wearing full pants, gloves and shoes.
Addressing safeguards is about implementing security controls. It reduces the risk to a reasonable level. However, the risk is still there (residual risk). What if Redback bites on your neck or ear?
Only mitigate the risk when the reduction cost is lower than the benefits gained.
The cost of security countermeasures must make sense from the business perspective.
2. Risk Avoidance
Risk avoidance is a wise choice. Why risk life if there is the danger?
Indeed, the ocean panorama at the end of 7km would give you a magnificent view but is it worth it?
Can you take an alternate 3km trail? It won’t challenge your fitness and give the best scenery, but no danger sign board exists.
From a business context, the solution may cost 30% less than other vendors, but is it worth risking the organization’s reputation and the high possibility of sensitive data leakage?
No.
Avoid the risk when the cost of the risk mitigation or accepting the risk is higher than the benefits gained.
The best way to deal with such risk is to avoid it. Consider alternatives to achieve the same or similar or desired outcomes.
3. Risk Assignment
You are scared of the spider, but your girlfriend researches the Redback spider. Dealing with such dangerous creatures is her day-to-day work. You decide to sit in the car if you don’t mind. Let her do the hiking and take that panoramic ocean photo for you.
You have just transferred the risk!
Risk transfer is a clever choice.
We do assign the risk when we purchase a car or health insurance. None of us will have a road accident or heart attack every day. But we still buy the insurance for peace of mind.
It would be best to transfer the risk when the likelihood is low and the risk is high.
Most of the on-premise applications are migrating to cloud SaaS (Software-as-a-service). At the core, there is a lot of risk transfer from the business end.
4. Risk Acceptance
You don’t give a damn about Redback Spider because you are an adrenaline junkie. You are aware of the consequences. You are ready to fight.
It’s about your risk tolerance. There are circumstances when businesses are aware of the risk, but they still give the green signal to go ahead. Risk appetite certainly requires thorough cost/ benefit analysis before accepting the risk.
Accept when the risk and exposure are low.
The above is what applies to the real world. Business doesn’t drive on adrenaline. They go on numbers and reputation.
5. Risk Deterrence
You see the below warning sign at the entrance of the trail. It’s a passive risk response. It’s about letting people know the possibility of dangerous spiders before hiking.
Implementing security policies such as patch management, CCTV cameras, and security guards is an example of risk deterrence.
6. Risk Rejection
You ignore the danger signs and decide to hike without the required protections. Risk rejection is a foolish choice where you hope nothing will happen. However, there is always a price for such ignorance.
More than 90% of cyberattacks are the result of rejecting the risk.
- Not having a patch and change management policy
- Click on email links
- Not having a complex password policy
Many CISSP core concepts are not only limited to the exam and technologies; you can also apply them to life.
When you start connecting study concepts with real life situation, the knowledge becomes a perspective.
During the last summer holiday, my son said, “I don’t want to go on that giant roller coaster. Let’s go to Junior one.”
What kind of risk response can you think of? Please write in the comment section.
If you enjoy this article, follow me on my blog Dave On Cyber and subscribe to the newsletter to get notified.
