2.2 Risk management in practice
Having analysed the situation, the next stage is to decide what to do about the risks.
For each risk to be managed, we need to identify what cost-effective countermeasures can be applied. Possible countermeasures are:
- Avoiding the risk – avoidance would mean stopping the activity that is causing the risk. For example, deleting all banking information and unsubscribing from internet banking would avoid the risks associated with the information assets related to banking.
- Modifying the risk (likelihood and/or impact) – this involves choosing and implementing a security mechanism that reduces the likelihood of a successful attack, or the impact that would result from such an attack. For example, installing an up to date antivirus application can prevent the attacker from using malware to gain access to the computer holding the internet banking information.
- Transferring the risk to others – typically involves taking out insurance to cover any losses in the event the threat materialises.
- Accepting the risk – would mean choosing not to implement any of these countermeasures, choosing instead to monitor the information asset for any attacks.
Consider risks identified in the qualitative risk analysis. Choose one of your information assets and decide on which countermeasures you would apply in this case.