Use a Risk-based Approach

Overview

A risk-based approach may be the best way to clarify our goals as we move forward. Focus first on the risks to the organization. Once we come up with a list of risks, we can organize it by prioritizing different levels of severity, which helps us determine what we should focus on first.

Risk gathering

Some questions to ask during the risk gathering process include:

• What are the biggest threats?

• What does the organization value most?

• What kind of attack would be the most damaging to the organization?

By answering these questions, we can focus our resources on the highest priority items.

Identify high-priority items

If everything’s a priority, then nothing’s a priority. There’s a concept called the defender’s dilemma. This means that the defender has to protect all points of a system, yet an attacker only has to find one exploitable weakness to be successful. Because not all possible points of attack can be completely protected, risk management can help determine the most critical points that need to be defended. Due to resource constraints, it’s nearly impossible to fortify every aspect of an organization. Therefore, a more suitable approach is to approximate and apply controls to areas where we can gain the most benefits.

Residual risk

Another concept to be aware of is residual risk. When security controls are applied, the risk is reduced. The risk that remains after applying these controls is what we call residual risk. We should continually work to reduce residual risk.

---