What are the approaches of Risk Analysis in Information Security?

A risk treatment plan should be recognized for all risks identified. Identified risk can be and is generally managed by several approaches such as Risk transfer, risk avoidance, risk reduction and risk acceptance.

Risk Acceptance − Risk acceptance is called by the name of risk retention. It is easily accepting the identified risk without creating any measures to avoid loss or the probability of the risk happening. It contains a decision by management to accept a given risk without more mitigation or transfer, for a period of time.

This appears in two classes of circumstances. For risks that are too low to bother protecting against or for which insurance and due alertness are acceptable, risk is accepted. For risks that are to be mitigated but where mitigation cannot be completed instantaneously or for which fast mitigation is too expensive to warrant, risks are accepted for periods during which mitigation is undertaken.

This method is optimal for those risks that will not make a large amount of loss if they appear. These risks in fact can be treated more costly to handle than to allow.

Risk Avoidance − Risk avoidance is truly as it sounds. It is a business approaches in which specific classes of activities or business processes are not undertaken because the risks are high to sustain the return on investment.

A risk can be prevented by not accepting or entering into the event which has hazards. This approach has severe limitations because such a choice is not possible, or if possible, it can require giving up some important benefits. Nevertheless, in some situations risk avoidance is both applicable and desirable.

Risk Transfer − Risk Transfer is a method that loses in the long run for medium and high risks. Risk transfer contains transferring the weight or the consequence of a risk on to some different party. There are several ways that risk transfer can take place. Insurance is a generally used method of risk transfer; the insurance company accepts the risk of another.

There is another form of risk transfer can appear in the way that a contract is laid out. Risk transfer for low consequences is generally cheap and reasonable if some method of reasonable and prudent controls are in place. This meets due alertness standards for low risk systems. Risk transfer for medium and high consequences is rare, cheap, and only justified in cases where the worst case loss is not viable and an adequate outside insurance capacity is active to take on the risk.

Risk Reduction − Risk reduction reduces the potential loss related to that risk. Risks can be reduced by execution of standard operating processes, education and training, limiting the numbers or types of participants, making security methodologies, duplication of data, selecting appropriate venues, preventive maintenance, etc.