subject: Three Ways of Dealing With Risk in IT Systems [print this page] Everything entails risk, including IT systemsEverything entails risk, including IT systems. IT systems are very complex, and all complex systems have vulnerabilities, both known and unknown. There are also threats ranging from errors and omissions, to attackers, to environmental risks such as damage from rain storms, floods, hurricanes, and temperature excesses. We define rick as vulnerability times threat. There are four ways to handle risks, three of which are acceptable.
One is to accept the risk. Some risks simply must be accepted as there are no reasonable alternatives.
Another is to mitigate or reduce the risk before accepting any residuals. For example we might reduce the likelihood of an outsider attack over the network by implementing a firewall, Intrusion Detection System, and anti virus.
We can also use the insurance model, which involves transferring risk, just as insurance on a home or car will do.
The fourth option is simply refusing to admit the risk exists. This is not a reasonable thing to do. A non IT example would be my friend John. He has had a heart attack, yet continues to smoke cigarettes. He insists that he only smokes a pack a day and that is fine from the health perspective. He refuses to admit that smoking is bad for you, especially cardiacs, and is essentially burying his head in the sand.
Risk can be accepted, reduced and then accepted of eliminating it, or transferred using an insurance model. You can also deny that there is any risk at all, denying reality. This is not an acceptable approach!
