5. The Approach to Cybersecurity: Cyber Risk Management 117 Table 5.7 Example risk mitigations for each category of controls and place of implementation. 5.3.5.4 Accepting An option always available to organizations is accepting a risk. Accepting a risk is a deliberate decision to live with a risk. In the qualitative risk analysis above, it is assumed that many risks with a low rating will be accepted. The organization believes that based on the low likelihood or low impact of the risk, the best decision is to accept it. This is a frequent occurrence in cybersecurity and is another way to prove the maxim that there is no such thing as 100% security. All organizations live with at least some cyber risk. Even when a risk is mitigated, residual risk usually remains. In the quantitative risk analysis above, this was the role of the ALEPOST calculation—the annualized loss expectancy with the safeguard (mitigation) in place. If there is no residual risk after mitigation or transfer, then the risk has been avoided. Organizations typically transfer or mitigate a risk down to a level they are comfortable with, and then they accept the residual risk. Even some risks that are substantial may have to be accepted. If there is no cost effective way to avoid, transfer, or mitigate a risk, or if the organization cannot afford to do so, then they have no choice but to accept it. Small businesses and startups may have to accept many such risks, and this makes them relatively more vulnerable to existential threats. 5.4 Planning for Failures “An ounce of prevention is worth a pound of cure.” - Popular saying In some security contexts there is an expectation of 100% success. For example, the United States Secret Service is expected to have a perfect record for protecting the President. Maintaining a perfect record is not the expectation for cybersecurity. It is understood that there will be failures. Cybersecurity has been compared to a sporting match. It is assumed that sports will be competitive with each team scoring some points. This has always been the lived reality for cybersecurity. It is important to accept this reality because it is better
RkJQdWJsaXNoZXIy MTM4ODY=