Cloud Risks & Risks Management
matador
RiskManagementProcess.pdf
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 1/4
Learning Topic
Risk Management Process Risk management is an integral part of an organization's governance structure.
The figure below illustrates a generic risk management process that can be used to
manage risk at the organization level. This process is described in general terms in ISO
Standard 31000 and is used in the National Institute of Standards and Technology’s (NIST)
Special Publication 800-39 to describe the process of managing security risks associated
with information and information systems (NIST, 2011). This risk management process is
focused upon identifying and managing risks to the organization as a whole. The four
elements of this risk management process (frame, assess, respond, monitor) are discussed
in the sections that follow.
Organizational-Level Risk Management
Process
Frame
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 2/4
Risk framing is a business process that uses organizational context (problem frame) to
guide the identification and categorization of risks to assets. Risk framing categorizes risks
according to the type of asset, source of the risk to that asset (threat), and the
vulnerability of the asset to the threat. It is usually the first step in the risk management
process.
Risk sources are divided into two categories: opportunities and threats. The opportunity
category is primarily used to frame risks in project management risk analyses and financial
analyses (investment planning). Security risks are usually expressed in terms of threats to
assets and further categorized by the type of threat.
Risks may also be identified using information from published lists and databases of
known threats and vulnerabilities for specific products (hardware and software).
Authoritative vulnerability identification and description information can be obtained
from NIST, the Department of Defense (Defense Information Systems Agency), the
Department of Homeland Security (US-CERT), and the Mitre Corporation (a government
contractor).
Assess
Risk assessment is a business process used to evaluate and rank the risks identified in the
framing process. The output of the risk assessment process is a risk register containing
entries for individual risks and their associated risk impact metrics. Risk assessment may
be quantitative or qualitative. Quantitative risk assessments use statistical techniques to
analyze data from simulations, experiments, and threat models. Qualitative risk
assessments use expert opinion and judgment. Both types of assessment may use
historical information obtained from documents and reports.
Respond
Organizations use four types of risk response strategies:
acceptance
avoidance
transfer
mitigation
When a strategy is applied to a specific risk, it is referred to as a risk treatment.
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 3/4
We will discuss each of the four types of risk response strategies below.
Acceptance has two forms. For opportunity-based risks, an organization accepts the risk
in the expectation of a beneficial or profitable outcome. This form of acceptance usually
involves a deliberate action (e.g., signature on a memorandum) that authorizes the
acceptance of the risk. For threat-based risks, an organization accepts a risk when the
costs of taking action to prevent harm exceed the expected costs of doing nothing. This
form of acceptance may be either de facto (through no action) or de jure (formally
approved or agreed to by an oversight group).
Avoidance occurs when an organization makes a deliberate decision to avoid the
circumstances or situations in which a risk could arise. For example, after reviewing an
opportunity to invest in a new security technology, a venture capitalist could determine
that the potential payoff is too low when compared to other uses of the money and so
decides to not invest in the security technology. Not making the investment is an
avoidance strategy.
Transfer is accomplished by transferring responsibility for the outcome of the risk to
another organization. Two common types of transfer strategies are insurance and
outsourcing. Cyber insurance is purchased to protect an organization from financial losses
resulting from cyber attacks. Outsourcing transfers financial responsibility for specific
risks as part of a service-level agreement or other form of contract-for-services. Under US
law, ultimate responsibility for harm or loss to information and information systems
remains with the owners of those assets and cannot be transferred to an outside
organization.
Mitigation is the most complex of the four risk management strategies. This strategy
requires that organizations identify specific actions, processes, and technologies that can
be used to lessen the impact of a risk. Some mitigation measures focus upon reducing
vulnerabilities in assets (e.g., patching software) while others are used to lower the
probability of occurrence (e.g., deploying antivirus software to detect and block malware
before an infection occurs). Most security controls are intended as risk mitigation
measures.
References
National Institute of Standards and Technology (NIST). (2011, March). Special publication
800-39. Managing information security risk: Organization, mission, and
information system view. Retrieved from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
2/2/22, 5:25 PM Risk Management Process
https://leocontent.umgc.edu/content/scor/uncurated/cca/2218-cca610/learning-topic-list/risk-management-process.html?ou=622270 4/4
© 2022 University of Maryland Global Campus
All links to external sites were verified at the time of publication. UMGC is not responsible for the validity or integrity
of information located at external sites.
