📖 What is Risk Mitigation?
Risk mitigation is the process of implementing security controls to reduce the likelihood or the impact of a threat exploiting a vulnerability. The goal is to bring the inherent risk down to an acceptable level of residual risk.
"This is the most common answer for 'reducing' risk through the application of technical or administrative controls."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Risk Mitigation?
- ▸ Implementation of administrative, technical, and physical controls to either lower the probability of a threat occurring or minimize the resulting impact on the organization.
- ▸ The transition from inherent risk—the risk level before controls—to residual risk, which is the remaining risk after mitigation strategies are applied.
- ▸ Cost-benefit analysis is critical to ensure the cost of implementing a mitigation control does not exceed the value of the asset being protected.
- ▸ Alignment with the organization's risk appetite, ensuring that mitigation efforts continue until the risk level falls within the pre-defined acceptable tolerance limits.
- ▸ Focus on the 'defense-in-depth' approach, using multiple layers of controls to mitigate risk more effectively than relying on a single security measure.
🎯 How does Risk Mitigation appear on the CISM Exam?
You may be asked to identify the most appropriate risk response strategy when a business process is too critical to stop but currently possesses a high vulnerability.
A scenario might describe a situation where a proposed security control is too expensive relative to the potential loss; you must determine if mitigation is the correct choice.
Expect questions requiring you to distinguish between risk mitigation and risk avoidance, specifically when deciding whether to implement a control or terminate the activity entirely.
❓ Frequently Asked Questions
What is the primary difference between risk mitigation and risk avoidance?
Mitigation involves implementing controls to reduce risk to an acceptable level while continuing the activity. Avoidance involves completely eliminating the risk by stopping the activity or removing the asset entirely.
Can risk mitigation ever completely eliminate a risk?
No. Mitigation reduces risk, but some level of residual risk almost always remains. Only risk avoidance can theoretically eliminate a specific risk by removing the source of the threat.
How does the CISM exam view the relationship between mitigation and risk appetite?
Mitigation is the tool used to bridge the gap between inherent risk and the organization's risk appetite. Once the risk reaches the appetite level, further mitigation is generally considered inefficient.