Responding to Risk
Risk response identifies, evaluates, decides on, and implements appropriate courses of action to accept, avoid, mitigate, share, or transfer risk to organizational operations and assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. Identifying and analyzing alternative courses of action63 typically occurs at Tier 1 or Tier 2. This is due to the fact that alternative courses of action (i.e., potential risk responses) are evaluated in terms of anticipated organization-wide impacts and the ability of organizations to continue to successfully carry out organizational missions and business functions. Decisions to employ risk response measures organization-wide are typically made at Tier 1, although the decisions are informed by risk-related information from the lower tiers. At Tier 2, alternative courses of action are evaluated in terms of anticipated impacts on organizational missions/business functions, the associated mission/business processes supporting the missions/business functions, and resource requirements. At Tier 3, alternative courses of action tend to be evaluated in terms of the system development life cycle or the maximum amount of time available for implementing the selected course(s) of action. The breadth of potential risk responses is a major factor for whether the activity is carried out at Tier 1, Tier 2, or Tier 3. Risk decisions are influenced by organizational risk tolerance developed as part of risk framing activities at Tier 1. Organizations can implement risk decisions at any of the risk management tiers with different objectives and utility of information produced.
Step 3: Risk Response
Inputs and Preconditions
Inputs from the risk assessment and risk framing steps include:
(i) identification of threat sources and threat events;
(ii) identification of vulnerabilities that are subject to exploitation;
(iii) estimates of potential consequences and/or impact if threats exploit vulnerabilities;
(iv) likelihood estimates that threats exploit vulnerabilities;
(v) a determination of risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
(vi) risk response guidance from the organizational risk management strategy; and
(vii) the general organizational directions and guidance on appropriate responses to risk.
In addition to the risk assessment and risk framing steps, the risk response step can receive inputs from the risk monitoring step (e.g., when organizations experience a breach or compromise to their information systems or environments of operation that require an immediate response to address the incident and reduce additional risk that results from the event). The risk response step can also receive inputs from the risk framing step (e.g., when organizations are required to deploy new safeguards and countermeasures in their information systems based on security requirements in new legislation or OMB policies). The risk framing step also directly shapes the resource constraints associated with selecting an appropriate course of action. Additional preconditions established at the risk framing step may include: (i) constraints based on architecture and previous investments; (ii) organizational preferences and tolerances; (iii) the expected effectiveness at mitigating risk (including how effectiveness is measured and monitored); and (iv) the time horizon for the risk (e.g., current risk, projected risk—that is, a risk expected to arise in the future based on the results of threat assessments or a planned changes in missions/business functions, enterprise architecture (including information security architecture), or aspects of legal or regulatory compliance).
- Risk Response Identification
- Evaluations and Alternatives
- Risk Response Decision
- Risk Response Implementation
Task 3-1: Identify assumptions that affect how risk is assessed, responded to, and monitored within the organization.
Supplemental Guidance: Organizations that identify, characterize, and provide representative examples of threat sources, vulnerabilities, consequences/impacts, and likelihood determinations promote a common terminology and frame of reference for comparing and addressing risks across disparate mission/business areas. Organizations can also select appropriate risk assessment methodologies, depending on organizational governance, culture, and how divergent the missions/business functions are within the respective organizations. For example, organizations with highly centralized governance structures might elect to use a single risk assessment methodology. Organizations with hybrid governance structures might select multiple risk assessment methodologies for Tier 2, and an additional risk assessment methodology for Tier 1 that assimilates and harmonizes the findings, results, and observations of the Tier 2 risk assessments. Alternatively, when autonomy and diversity are central to the organizational culture, organizations could define requirements for the degree of rigor and the form of results, leaving the choice of specific risk assessment methodologies to mission/business owners.
Risk acceptance is the appropriate risk response when the identified risk is within the organizational risk tolerance. Organizations can accept risk deemed to be low, moderate, or high depending on particular situations or conditions. For example, organizations with data centers residing in the northeastern portion of the United States may opt to accept the risk of earthquakes based on known likelihood of earthquakes and data center vulnerability to damage by earthquakes. Organizations accept the fact that earthquakes are possible, but given the infrequency of major earthquakes in that region of the country, believe it is not cost-effective to address such risk—that is, the organizations have determined that risk associated with earthquakes is low. Conversely, organizations may accept substantially greater risk (in the moderate/high range) due to compelling mission, business, or operational needs. For example, federal agencies may decide to share very sensitive information with first responders who do not typically have access to such information due to time-sensitive needs to stop pending terrorist attacks, even though the information is not itself perishable with regard to risk through loss of confidentiality. Organizations typically make determinations regarding the general level of acceptable risk and the types of acceptable risk with consideration of organizational priorities and trade-offs between:
(i) near-term mission/business needs and potential for longer-term mission/business impacts; and
(ii) organizational interests and the potential impacts on individuals, other organizations, and the Nation.
Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk tolerance. Organizations may conduct certain types of activities or employ certain types of information technologies that result in risk that is unacceptable. In such situations, risk avoidance involves taking specific actions to eliminate the activities or technologies that are the basis for the risk or to revise or reposition these activities or technologies in the organizational mission/business processes to avoid the potential for unacceptable risk. For example, organizations planning to employ networked connections between two domains, may determine through risk assessments that there is unacceptable risk in establishing such connections. Organizations may also determine that implementing effective safeguards and countermeasures (e.g., cross-domain solutions) is not practical in the given circumstances. Thus, the organizations decide to avoid the risk by eliminating the electronic or networked connections and employing an “air gap” with a manual connection processes (e.g., data transfers by secondary storage devices).
Risk mitigation, or risk reduction, is the appropriate risk response for that portion of risk that cannot be accepted, avoided, shared, or transferred. The alternatives to mitigate risk depend on:
(i) the risk management tier and the scope of risk response decisions assigned or delegated to organizational officials at that tier (defined by the organizational governance structures); and
(ii) the organizational risk management strategy and associated risk response strategies.
The means used by organizations to mitigate risk can involve a combination of risk response measures across the three tiers. For example, risk mitigation can include common security controls at Tier 1, process re-engineering at Tier 2, and/or new or enhanced management, operational, or technical safeguards or countermeasures (or some combination of all three) at Tier 3. Another example of a potential risk requiring mitigation can be illustrated when adversaries gain access to mobile devices (e.g., laptop computers or personal digital assistants) while users are traveling. Possible risk mitigation measures include, for example, organizational policies prohibiting transport of mobile devices to certain areas of the world or procedures for users to obtain a clean mobile device that is never allowed to connect to the organizational networks.
Risk Share or Transfer
Risk sharing or risk transfer is the appropriate risk response when organizations desire and have the means to shift risk liability and responsibility to other organizations. Risk transfer shifts the entire risk responsibility or liability from one organization to another organization (e.g., using insurance to transfer risk from particular organizations to insurance companies). Risk sharing shifts a portion of risk responsibility or liability to other organizations (usually organizations that are more qualified to address the risk). It is important to note that risk transfer reduces neither the likelihood of harmful events occurring nor the consequences in terms of harm to organizational operations and assets, individuals, other organizations, or the Nation. Risk sharing may be a sharing of liability or a sharing of responsibility for other, adequate risk responses such as mitigation. Therefore, the concept of risk transfer is less applicable in the public sector (e.g., federal, state, local governments) than the private sector, as liability of organizations is generally established by legislation or policy. As such, self-initiated transfers of risk by public sector organizations (as typified by purchasing insurance) are generally not possible. Risk sharing often occurs when organizations determine that addressing risk requires expertise or resources that are better provided by other organizations. For example, an identified risk might be the physical penetration of perimeters and kinetic attacks by terrorist groups. The organization decides to partner with another organization sharing the physical facility to take joint responsibility for addressing risk from kinetic attacks.
Task 2-2: Evaluate alternative courses of action for responding to risk.
Supplemental Guidance: The evaluation of alternative courses of action can include:
(i) the expected effectiveness in achieving desired risk response (and how effectiveness is measured and monitored); and
(ii) anticipated feasibility of implementation, including, for example, mission/business impact, political, legal, social, financial, technical, and economic considerations.
Economic considerations include costs throughout the expected period of time during which the course of action is followed (e.g., cost of procurement, integration into organizational processes at Tier 1 and/or Tier 2, information systems at Tier 3, training, and maintenance). During the evaluation of alternative courses of action, trade-offs can be made explicit between near-term gains in mission/business effectiveness or efficiency and long-term risk of mission/business harm due to compromise of information or information systems that are providing this near-term benefit. For example, organizations concerned about the potential for mobile devices (e.g., laptop computers) being compromised while employees are on travel can evaluate several courses of action including:
(i) providing users traveling to high-risk areas with clean laptops;
(ii) removing hard drives from laptops and operate from CDs or DVDs; or
(iii) having laptops go through a detailed assessment before being allowed to connect to organizational networks.
The first option is highly effective as returning laptops are never connected to organizational networks. While the second option ensures that hard drives cannot be corrupted, it is not quite as effective in that it is still possible that hardware devices (e.g., motherboards) could have been compromised. The effectiveness of the third option is limited by the ability of organizations to detect potential insertion of malware into the hardware, firmware, or software. As such, it is the least effective of the three options. From a cost perspective, the first option is potentially the most expensive, depending upon the number of travelers (hence number of travel laptops) required. The second and third options are considerably less expensive. From a mission and operational perspective, the third option is the best alternative as users have access to standard laptop configurations including all applications and supporting data needed to perform tasks supporting missions and business functions. Such applications and data would not be available if the first or second option is selected. Ultimately, the evaluation of courses of action is made based on operational requirements, including information security requirements, needed for near and long term mission/business success. Budgetary constraints, consistency with investment management strategies, civil liberties, and privacy protection, are some of the important elements organizations consider when selecting appropriate courses of action. In those instances where organizations only identify a single course of action, then the evaluation is focused on whether the course of action is adequate. If the course of action is deemed inadequate, then organizations need to refine the identified course of action to address the inadequacies or develop another course of action.
In summary, a risk verses risk-response trade-off is conducted for each course of action to provide the information necessary for:
(i) selecting between the courses of action; and
(ii) evaluating the courses of action in terms of response effectiveness, costs, mission/business impact, and any other factors deemed relevant to organizations.
Part of risk versus risk-response trade-off considers the issue of competing resources. From an organizational perspective, this means organizations consider whether the cost (e.g., money, personnel, time) for implementing a given course of action has the potential to adversely impact other missions or business functions, and if so, to what extent. This is necessary because organizations have finite resources to employ and many competing missions/business functions across many organizational elements. Therefore, organizations assess the overall value of alternative courses of action with regard to the missions/business functions and the potential risk to each organizational element. Organizations may determine that irrespective of a particular mission/business function and the validity of the associated risk, there are more important missions/business functions that face more significant risks, and hence have a better claim on the limited resources.
Task 3-3: Decide on the appropriate course of action for responding to risk.
Supplemental Guidance: Decisions on the most appropriate course of action include some form of prioritization. Some risks may be of greater concern than other risks. In that case, more resources may need to be directed at addressing higher-priority risks than at other lower-priority risks. This does not necessarily mean that the lower-priority risks would not be addressed. Rather, it could mean that fewer resources might be directed at the lower-priority risks (at least initially), or that the lower-priority risks would be addressed at a later time. A key part of the risk decision process is the recognition that regardless of the decision, there still remains a degree of residual risk that must be addressed. Organizations determine acceptable degrees of residual risk based on organizational risk tolerance and the specific risk tolerances of particular decision makers. Impacting the decision process are some of the more intangible risk-related concepts (e.g., risk tolerance, trust, and culture). The specific beliefs and approaches that organizations embrace with respect to these risk-related concepts affect the course of action selected by decision-makers.
Task 3-4: Implement the course of action selected to respond to risk.
Supplemental Guidance: Once a course of action is selected, organizations implement the associated risk response. Given the size and complexity of some organizations, the actual implementation of risk response measures may be challenging. Some risk response measures are tactical in nature (e.g., applying patches to identified vulnerabilities in organizational information systems) and may be implemented rather quickly. Other risk response measures may be more strategic in nature and reflect solutions that take much longer to implement. Therefore, organizations apply, and tailor as appropriate to a specific risk response course of action, the risk response implementation considerations in the risk response strategies (part of the risk management strategy developed during the risk framing step).
Outputs and Post Conditions
The output of the risk response step is the implementation of the selected courses of action with consideration for:
(i) individuals or organizational elements responsible for the selected risk response measures and specifications of effectiveness criteria (i.e., articulation of indicators and thresholds against which the effectiveness of risk response measures can be judged);
(ii) dependencies of each selected risk response measure on other risk response measures;
(iii) dependencies of selected risk response measures on other factors (e.g., the implementation of other planned information technology measures);
(iv) timeline for implementation of risk response measures;
(v) plans for monitoring the effectiveness of risk response measures; (vi) identification of risk monitoring triggers; and
(vii) interim risk response measures selected for implementation, if appropriate.
There are also ongoing communications and sharing of risk-related information with individuals or organizational elements impacted by the risk responses (including potential actions that may need to be taken by the individuals or organizational elements).
In addition to the risk monitoring step, outputs from the risk response step can be useful inputs to the risk framing and risk assessment steps. For example, it is possible that the analysis occurring during the evaluation of alternative courses of action may call into question some aspects of the risk response strategy that is part of the risk management strategy generated during the risk framing step. In such instances, organizations use that information to inform the risk framing step with appropriate actions taken to revisit the risk management strategy and its associated risk response strategy. Organizations might also determine during the evaluation of alternative courses of action for risk response, that some aspects of the risk assessments are incomplete or incorrect. This information can be used to inform the risk assessment step possibly resulting in further analysis or reassessments of risk.
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View