Evaluate and Recommend Controls

Step 10 in the recommended risk assessment process is "Evaluate and recommend controls to reduce or eliminate risk". This page expands on that step.

When the controls are evaluated, the benefits, costs, and cost savings of applying the controls both individually and in combination should be determined. There are several methods used to respond to risk. Options include:

  • Mitigate the risk with actions taken internally to reduce the impact or reduce the probability of the risk materializing.
  • Transfer the risk using a method such as an insurance policy.
  • Avoid the risk - Stop doing what causes the risk
  • Accept the risk - Determine a threshold or amount of risk your organization is willing to accept when mitigating actions are not sufficient or cost effective.
    • Identify where current controls or policies are not being followed.
    • Assess whether the current controls are adequate.
    • Determine whether more controls should be added.
    • Summarize action items.

This task should be performed by management and based upon recommendations from the technical staff. This step is a matter of deciding which controls are most cost effective and what the priorities of implementing them should be. When making these decisions, the degrees of confidence in the estimated risks should be considered. The effects of changes in assumptions or data should be considered.

Example

When risk probabilities and damage was estimated, one of the items was virus incidents as shown below.

ThreatLikelihoodObjects threat is againstTotal probabilityControl ReductionDamageEst. Annual Loss
Virus incidents15 percent per year40060 per yearUser education, block email dangerous attachments$100 to fix, $100 loss of productivity and 50% chance of loss of data valued at $500$27000

Two possible controls include:

  • Block dangerous file attachments - On one organization, this was done and virus incidents were cut back at least 80%. The drawback to this was that users needed to be informed of this change and educated as to the work around for sending files that they have a business requirement to send. It would also be a good practice to survey users before making the change to determine the types of files they send and receive in email attachments.
  • User education - This control may reduce virus incidents by around half since users will be wiser to the things virus creators do to trick them.

If we elect to implement only blocking of dangerous file attachments, costs may be as follows:

  • Survey users about virus attachments used - $2000
  • Educate 400 users for 1 hour each about a work around for attachments $25 times 400 = $10,000.
  • Make the change on the mail server to block dangerous file attachments (assuming a configuration change only). - $50

Total cost is $12,050 reducing virus incident probabilities per user from 15% to 3%. This reduces the total cost of virus incidences from $27,000 to $5,400 saving $21,600 per year. This produces a 179% yearly return on the $12,050 investment. This control is worth recommending based on the return.

Assuming we elect to try both controls, costs may be as follows:

  • Educate 400 users for 2 hours each about viruses and work around for attachments $50 times 400 = $20,000.
  • Create the course material and teach the course in 10 classes $1500.

Total cost is $21,500 reducing virus incident probabilities per user from 3% to 1.5%. This reduces the total cost of virus incidences from $5,400 (when already applying blocking dangerous file attachments) to $2,700 saving $2,700 per year. This produces a 12.6% yearly return on the $21,500 investment. The implementation of both controls is marginally worth recommending but the additional security benefit may make it worthwhile.