Homework Responses Week 2

yellancnigg
JonathansPost.docx
Home>Law homework help>Criminal homework help>Homework Responses Week 2

When a risk assessment is completed, a final decision maker must ultimately take the information from that assessment and make a final determination on what to with that risk. According to Smith and Brooks (2013), there are five traditional methods for addressing risk: Reduce the risk, transfer the risk, avoid the risk, redistribute the risk, or accept the risk. The risk assessment helps in making this determination by listing how likely a threat is to occur as well as the criticality of an occurrence. A decision maker must then use this information to compare countermeasures with the costs involved as well as any necessary compliance regulations. Some risks will need to be mitigated with the implementation of physical security measures and policies but in some cases the cost of an appropriate countermeasure may exceed that of the potential loss and thus that risk may just be accepted.

The ISO 31000 Risk Management process consists of three distinct stages. The first stage involves establishing the context which establishes the parameters for the risk management process where risk will be identified, assessed, and mitigated. In this stage, the security manager would identify the internal and external environment of the organization, the objectives of the organization, identify stakeholders, and also determine what the assessment criteria will be and in what terms consequence will be measured.

The second stage involves conducting a risk assessment. In this step, the security measure will identify possible threats to the organization and determine how likely it is that each threat will occur. Consequences of a successful attack are identified as well as how critical the loss would be to the organization if a threat were carried out. The security manager must conduct a vulnerability assessment of all existing countermeasures to help in determining likelihood and consequence. Finally, the security manager must list the threats beginning with those that would have the most devastating consequence to the organization scaled down to the threat that poses the least critical consequence. The final stage is risk treatment. This is the stage, where as stated above, the security manager must make a determination of how the risk will be addressed such as whether it will be mitigated with the implantation of countermeasures, spread out over various areas of the organization, transferred outside of the organization, avoided all together, or simply accepted as “the cost of doing business”. These risks should be addressed in the order of critically as defined in the final step of the risk assessment process.

 

References:

Smith, C., Brooks, D. (2013). Security Science: The Theory and Practice of Security. Butterworth-Heinemann. Waltham, MA.