Explaining Risk
There are many ways to deal with risk. Risk can be shared, ignored, accepted, reduced, transferred, and avoided. In this post I will be documenting how to make risk avoidance decisions. As you read notice how risk avoidance decisions are very much like risk based decisions with the emphasis on what to avoid instead of what to accept.
Sharing Risk
Is when two organizations leverage the same infrastructure (such as an extranet or common control provider) and will both experience the same levels of damage should that infrastructure be compromised they are sharing the risk. In this scenario one, both, or neither work to achieve lowered risk levels.
Ignoring Risk
Ignoring risk is a choice and a lack of action. It is the result of denying a risk’s existence. It creates the same consequential vulnerability as accepting a risk but the potential legal, compliance, or responsibility protections.
Accepting Risk
When a risk is accepted the responsible stakeholder acknowledges the risk is present, the level of risk involved, and confirms a personal decision to accept responsibility for the risk. Accepting a risk can potentially have legal, regulatory, and/or fiduciary nuances and burdens.
Reducing Risk
Once risk has been acknowledged steps may be taken to reduce the risk to a level which is comfortably acceptable. For risk to be reduced it needs to be discovered, acknowledged, and contracted in severity to other risks.
Transferring Risk
The transference of risk is most commonly associated with insurance. Car insurance is a good example. If your vehicle slides on ice and destroys a stop sign, another vehicle, or someone’s foot you don’t pay for the damage, your insurance does. The risk of financial loss is supposed to be the insurance prover’s not yours.
Risk Avoidance
Risk avoidance is acknowledging that risks exist, determine which risks exist before taking action or procuring goods and choosing a different option if the risk is too great or unknown. Let’s dive a little deeper into risk avoidance.
Risk Avoidance in Detail
When it comes to risk avoidance there are certain steps which should be undertaken. Some may even say there is a risk avoidance lifecycle for every decision anyone makes. For our purposes we will define the risk avoidance life cycle by the following phases or steps: decision point, choice branching, risk enumeration, risk quantification, risk avoidance decision. This risk life cycle can be (and already is) applied to the various SDLC phases from procurement to destruction/deletion.
Decision Point
The decision point is a point in time where the need for a future decision is first realized. This is the point in time where an event is going to happen but no plans have been made to respond to that event. A good example of this would be the upcoming expiration of a software product. The software licenses will expire and no-one has decided what to do about that fact.
Choice Branching
Choice branching is the enumeration of reasonable responses that may be considered as responses to the event. If the software licenses expire a company could renew the licenses, continue using the software but in an unlicensed way, purchase different software, or remove the software.
Risk Avoidance Quantification
Once the choices are quantified the major risks must be enumerated for each risk branch. The quantifications are designed to be comparative and not discrete numerical values. To renew the licenses would cost a large amount of capital and lock the organization into an extended contract with an unresponsive vendor. If we use unlicensed software we could face legal challenges as well as potential compromises as unlicensed software doesn’t receive patches. Purchasing new software requires research, purchasing, installation, and personnel training. Removing the software would prohibit personnel from successfully meeting their job requirements.
Risk Avoidance Decision
Decision time comes down to what should not be done. Employees need to be able to do their jobs so we need software. Risking a breach and/or lawsuit is unreasonable so licensed software is required. Is the lack of responsiveness from the vendor a great enough burden to procure and implement a new solution. At this time it appears the current solution has caused 150 hours of downtime due to service provider unresponsiveness and costs $xxxxx. The anticipate training for a new solution will require 65 hours of training and cost $xxxxx. The additional 85 hours of downtime must be avoided so a new software solution must be procured.
Risk Avoidance Applied to SDLC Phases
Which SDLC?
For the purposes of this post the NIST SDLC will be used. There is a reference to the publication at the very bottom of this post. The NIST defined SDLC containes the following five phases: initiation, acquisition/development, implementation/assessment, operations/maintenance, and sunset/disposal. Each will be considered using the risk avoidance life cycle.
Initiation Phase Risk Avoidance
In the initiation phase someone or a group states they need a new system or software and state the reasons for the need. Using risk avoidance the decision makers determine they are required to make a decision. They evaluate the options which may include training personnel to use an already existing solution, having duplicate systems, denying the request, or approving the request. They may then determine the risk posed by disgruntled employees outweighs other risks then issue a decision to approve the request.
Acquisition or Development
At a high level, this is the phase in which the system is created or purchased. Risk avoidance decisions at this phase may at a high level include how much risky it would be to duplicate and modify an existing system, internally create a new system, externally create a new system, purchase a prefabricated system. At a lover level the risk avoidance may include details about which vendors not to use, which hardware not to use, which security mechanisms, processes, and procedures to prohibit.
Implementation and Assessment
This SDLC phase is all about the installation and testing of the new system. From a risk avoidance perspective this step is all about what not to connect the new system to, what software not to install, and which setting should not be implemented. This step is highly detailed and requires broad knowledge because you can’t determine what settings, software, and hardware should be prohibited unless you know what is possible. This can be simplified by using the ‘white listing’ security control.
Operations and Maintenance
This stage of NIST’s SDLC is the one in which the system is actually performing its intended function and is being updated and patched. Risk avoidance in this stage may be associated with deciding is applying nee patches is riskier than staying one or more patch cycles behind the current patch level, if new system connections should be avoided, or if certain software or hardware component vendors should be prohibited when replacing system components or subcomponents.
Sunsetting/Disposal
This phase of the NIST SDLC deals with the decommissioning and disposal of the system. Risk avoidance at this stage may be used to determine if it is riskier to remove the system in its entirety or in ohases, to replace the system with a new one or deprecate the system’s purpose and/or functionality, if internal or external personnel should ensure deletion of data snd/or destruction of components, if data or components should be destroyed, discarded, or reused just to name a few considerations.
Risk Avoidance Conclusions
Traditional risk based decisions focus on which decision is the best one for the context and environment. Risk avoidance decision making focuses on determining which decision is the least costly or destructive to the environment. Not all risk avoidance outcomes cost money. Sometimes the biggest and best is a greater risk due to financial strain than implementing a less expensive solution that is slightly more cumbersome on personnel hours. Risk avoidance techniques can be integrated into every step of the SDLC to eliminate the most risky decisions before risk reducing actions, steps, solutions are implemented or other risk responses are taken. Risk avoidance is ensuring risks are known before decisions are made then choosing the least corrosive option, it is not an ostrich with it’s head in the sand.
Reference Link:
NIST SDLC Publication
https://www.nist.gov/publications/system-development-life-cycle-sdlc