Tuesday, July 08, 2008

Risk Management: accept, transfer, avoid, mitigate risk ... or none of the above?

When dealing with information security risks, typically the range of available options are to accept the risk, transfer it, avoid it, or mitigate it by implementing security controls. But these aren't the only options, and in some circumstances there's actually a better choice: transform the risk.

A certain large pharmaceutical organization--which I will not specifically mention--for years manufactured an over-the-counter decongestant which contained an ingredient that criminals discovered could be used to illegally produce methamphetamine. The social and public health impacts of this misuse were so significant that it presented a risk that the company needed to address.

For this particular risk it would harm patients to abandon the product, and it wasn't feasible to transfer or mitigate the risks directly. So instead, the company took a different route: it made the product unusable to criminals by changing the active ingredient and was still able to offer it over the counter to its customers.

From an information security perspective, the same principle applies: risk to an information asset is determined by the seriousness of impact and the likelihood of that impact occuring. And likelihood in turn is driven by the value of that asset to the threats which are targeting it. So any organization that can reduce the value of its assets to attackers, without lowering the value to its customers, can also reduce its risks.

Some examples:

  • De-identification of Protected Health Information (PHI) as per the HIPAA Privacy Rule.
  • Identity Theft. In countries where national IDs aren't used as an all-purpose identifier, rates of identity theft are much lower than in the United States.

No comments: