15.1 Risk Management Strategies

Risk management consists of the four main risk strategies below.

Activity Category
Risk Mitigation Implementing security controls to reduce the likelihood of the risk occurring and lower the magnitude of the impact.
Risk Avoidance Changing business activities to completely eliminate the risk; eliminating the risk often comes with significant drawbacks.
Risk Transference Transfering the risk and potential impact to another organization or third party.
Risk Acceptance Deliberately choosing to continue business operations as normal despite the potential risk.

15.2 Risk Identification and Assessment

In this section I will think of a business process critical to the operation of an organization and identify the risks associated to that process. Once risks are identified, I will select one and conduct a risk assessment.

Risk Identification

For this risk assessment, I will consider a university in the United States. A critical business process for any university is achieving or exceeding enrollments. Here is a diagram brainstorming some risks associated with this. Risk Management

Risk Assessment

The risk I will focus on is the damage to a university’s reputation. I will conduct a rough quantitative risk estimate here. I will select Yale University as a case study to narrow the scope of this exercise. How many times over the past 10 years has Yale experienced significant damage to their reputation? The more difficult question answer will be: have these events effected Yale’s enrolment?

Note: Obviously this is not an actual quantitative assessment as I do not have the data and resources required to properly conduct one. Rather, I see this as a rough-draft-sprint-pratice excercise for thinking about risk.

Quantitative Risk Assessment

  1. Determine the Asset Value (AV) of the asset affected by the risk. In 2021 Yale admitted 1322 students. The average yearly tuition is 55,500. This results in an AV of 73,371,000 annually.
  2. Determine the Annualized Rate of Occurrence (ARO), i.e. how likely the risk will occur over a given year. As per above, a damaging PR event occurred 12 (by my estimate after 30 minutes of googling) times over 10 years. Dividing these two numbers produces an ARO of 1.2.
  3. Determine the percent of damage which will occur to the asset if the risk happens. This referred to as the Exposure Factor (EF). Past scandals appear to have little effect on enrolment. I will set the EF at 0.001, although I imagine it could be set even lower.
  4. Determine the single loss expectancy (SLE), the amount of damage expected each time a risk materializes. The SLE is calculated by multiplying EF and AV, so 0.001 X 73,371,000 results in 73,371.
  5. Calculate the annualized loss expectancy (ALE), the amount of damage expected from a risk in a given year. This is calculated by multiplying the ARO and SLE, so 1.2 x 73,371 results in an Annual Loss Expectancy of 88,045.

15.3 Risk Management

Now that I have conducted a risk assessment, I will look at how the previously identified risk management strategies could be used to address this risk:

  • Risk mitigation: Develop several PR strategies and playbooks for handling common reputation events to handle an actual event.
  • Risk avoidance: Drastically reduce enrolment numbers and rely on other sources of cash flow to fund the university.
  • Risk acceptance: Set aside the ALE amount in budget every year for handling damaging PR events.
  • Risk transference: Outsource the management of admissions to a third party.


A glossary of all the terms, acronyms and slang I run across for this chapter.

ERM Enterprise Risk Management
Threat Possible event which may have an effect on Confidentiality, Integrity or Availability
Vulnerabilities Weakenesses in systems which could be exploited by a threat
Risk The combination of a threat and a vulnerability
Risk Identification Identifying the risks and vulnerabilities which exist in your environment
Probability The likelihood the risk will occur
Magnitude The impact the risk will have on the organization if it does occur
Risk Formula Risk Severity = Probability * Magnitude
BIA Business Impact Analysis - Formalized approach to risk analysis.
Quantitative Risk Analysis User numeric data to assess risk
Qualitative Risk Analysis Use subjective judgements and categories to assess risk
ARO Annualized Rate of Occurrence; The likelihood an event will occurr in a given year
EF Exposure Factor - The amount of damage, percent of an assest to be damaged if a risk occurrs
SLE Single Loss Expectancy - The amount of damage expected each time a risk happens
ALE Annualized Loss Expectancy - Amount of damage expected from a risk every year. Multiply the SLE and ARO
Risk Management Process of addressing risks that face an organization; Seeks to prioritize risks with high probability and magnited; Also determines if the potenital impact of the risk justifies a certain amount of spending
Risk Mitigation The process of applying security controls to reduce the probability and magnitude of a risk - most commone approach towards risk management
Risk Avoidance Risk management strategy where business practices are changed to eliminate a risk - may result in unrealistic sacrifices
Risk Transference Shifts some of the risk impact from the organization to another entity
Risk Acceptance Deliberately accepting a risk after thorough consideration. May be warranted if the cost of mitigation is higher than the risk itself.
Data Ownership Policy where specific senior executives are designated as owners of different data types and must work with other experts to manage/protect the data
Information Classification Top Secret > Secret > Confidential > Unclassified; Data classification allows organizations to clearly specify the security controls required to protect information
Data Minimization Strategy where an organization collects the minimum amount of data to meet their business needs
Purpose Limitation Data should only be used for the original purpose it was collected for and that was conseted to by the data subjects
Data retention Adopt standards that guide the end of the of the lifecycle - data should only be kept for as long as remains necessarry to fulfill its original colletion purpose
Data Sovergeignty data is subject to the legal restrictions of any jurisdiction where it is collected, stored or processed
Red Team Attackers who attempt to gain access
Blue Team Defenders who attempt to stop the attackers
White Team Observers and judges of the exercise
NDA Non-disclosure agreement
DLP Data Loss Prevention; Systems which help organizations enforce inof handling policeis and procedure or prevent the loss or theft of data.
Host-based DLP Uses agents on systems to detect sensitive info
Network-based DLP Dedicated devices that sit on the network and monitor outbound traffic, checking for the exfiltration of data.
Watermarking Applying electronic tags to sensitive data so it is recognized by DLP systems
Pattern Matching DLP systems whtat watch for specific sinds of sensitive data
Deidentification Removing the ability to lind data back to an individual
Data Obfucscation Changing data into a format where the original cannot be retrieved
Data Obfucscation Methods Hashing, Tokenization, Masking
Tokenization Replacing sensitive values with a unique identifier using a lookup table
Masking Partially redacting sensitive info