Risk assessments should include all the risks relating a project, activity or organisation and should be performed on a regular basis or when additional risks are present. All risks should be placed into a risk assessment table and include the likelihood and impact of this occurring. It allows all risks to be defined and categorised from high to low, allowing resources to be appropriately allocated based on the threat level it poses. Measures should also be included that details how each risk will be reduced. For example, a mitigation measure for losing a laptop could be to take regular back-ups and ensure that the hard drive is encrypted.
There are various risk mitigation techniques that can either reduce the impact or likelihood of a risk occurring. These include:
* Avoiding the risk: This would mean stopping the activity which is causing the risk such as removing outdated software versions.
* Modifying the risk: This involves implementing a security mechanism which reduces the likelihood of the attack being successful or by reducing the impact if the attack was successful. For example, up to date anti-virus software which prevents malware infecting your computer and gaining access to your banking information.
* Transferring the risk: this means that the risk ownership is transferred to a different person/organisation. A typical example includes taking insurance out to cover losses.
* Accepting the risk: This means that no mitigation measures are being implemented. This could be done for low likelihood, low impact stuff.
The residual risk is the remaining threat level a risk poses once the mitigation measures have been implemented. As no system, project or organisation is 100% risk free, the risk assessment should be reviewed and updated frequently.