Andy Smith FBCS CEng CITP asks: what is risk mitigation and do you really need it?

Put simply, risk mitigation is the removal of risk, or reducing risk so that the impact is negligible. Basically, it is putting in place controls that prevent a risk being realised and causing an impact.

However, risk mitigation is often not what you need and does not provide value for money, in that it may cost more to implement controls than the cost of cleaning up if a risk is realised. In some instances mitigating one risk can introduce other unexpected risks, which can sometimes be worse than the original.

Often it is much better to manage risks rather than try to mitigate them. The whole of the business world runs on a balance of risk versus reward. If you try to mitigate all risk, you will normally have zero reward as a result, which is not a good business model.

There is one area where risk mitigation is important and most businesses strive to mitigate, or as a last resort, transfer (insure against) or minimise the risk. That is health and safety. Basically when it involves risk to life, every effort should be made to mitigate and totally remove the risk.

This is quite easy in the IT sector, but when it comes to the construction industry, things are a little more complex. You can minimise risk to life but seldom mitigate it and it would not be viable to try.

Looking at the cyber security aspect, there are a number of reasons why risk mitigation is hard. One of the main reasons is human error, including root causes such as apathy, complacency and stupidity.

Not changing default passwords, giving away your password for a Mars bar, falling victim to social engineering attacks. The human element will always introduce some level of risk. This can be minimised with dual-control, where two or more people have to implement an action; or segregation of duty where different parts of a process are performed by different people.

Good business continuity and disaster recovery processes also help, especially when people accidentally delete things. Remember, he who does not archive the past is condemned to retype it...

Preventative maintenance

The other aspect which again comes down to the human factor is poor preventative maintenance. This can be as simple as cleaning fans and patching systems. However, people are very bad at patching systems or even checking if things have failed.

I have come across a RAID array before with two failed hard drives, one more and the whole array would have failed, but no-one thought to check what the red lights meant. Mitigating risk requires preventative maintenance.

As can be seen with the number of systems that still run Microsoft Windows XP and ATMs that still run Microsoft Windows 2000, there is sometimes a little too much complacency. This is based on the ‘if it works don’t fix it’ philosophy.

This is a great risk mitigation philosophy up to a point. While a system is still in manufacturer support and meeting the business requirements, why change it? To do so without reason is itself taking on unnecessary risk. Changing has to be balanced against cost to change, being able to find skilled resources, migration complexity etc. Even if you do plan to change, this has to be balanced with the risk of going too new and implementing leading edge solutions.

Implementing the latest operating system is a good example of taking on too much risk. It may seem cool to have the latest features, but the risks presented may be too high; for example, the constant online sharing of information by the latest operating systems introduces new and poorly understood risks.

Coupled with this is a lack of skilled resources for the latest OS, compared to many more trained with older versions and limited ‘shake down’ of the OS in real life scenarios, i.e. there are a lot of unfixed and undiscovered bugs.

Where else is mitigating risk viable?

Matters of national security tend to fall into this category, but with SECRET and TOP SECRET both related to loss of life, it comes back to the same issue as health and safety - protection of life.

An area where it is prudent to mitigate risk is with legal and regulatory compliance. Organisations should always comply with the law. Though I would never advocate breaking the law, there are some instances where organisations have found non-compliance to be preferable.

One good example is Sunday trading. It used to be illegal to open on a Sunday, but some of the larger brands found that they could open on a Sunday and if they got taken to court, the fines were much smaller than the profit they made from opening, hence there was no incentive to comply. This eventually led to a change in the law.

Online there are numerous examples. For multi-national organisations compliance with multiple regulations across a global estate is very difficult. Complying with one law in one country may prevent compliance with another in a different country, and this includes data protection and privacy. Changes to EU regulations on data protection may change the risk profile somewhat.

However legal compliance is a very difficult area. I know of organisations that have VPNs set up to their Asian sub-contractors without realising the encryption they are using is technically illegal in the remote country and they could actually be breaking dual use export regulations in the process. They are managing one risk by using encryption, but then introducing another risk by using encryption.

Once you connect to the internet and enter the cyber world, there are many risks with which to contend and there are no methods to mitigate risk, it can only be managed to an acceptable level.

The risks do not just come from malicious code, viruses, hackers etc. they come from many other areas including: human error, utility failure, legal and regulatory compliance, device failure and nefarious staff and other insiders.

So I would contend that the only place it is viable to try and fully mitigate risk is in relation to the preservation of life and for the most part, legal and regulatory compliance, but even here there are limitations. Ultimately most risks should be managed and should be subject to a good risk assessment and based on a risk-reward analysis, to justify the resources, expenditure and time to implement and maintain the controls.

The key thing to remember is that risk is all about balance, not absolutes.