With awareness of a risk and its possible impact, there are four ways to respond or manage:
to. Acceptance: you are willing to face the consequences.
b. Rejection: the risk is not accepted and the activities / situations that can generate it are eliminated.
c. Mitigation: mitigation measures/measures are adopted to reduce the probability or consequences.
d. Transfer: all or part of the risk is transferred to a third party.
Let's take for example the risk of damaging the car due to an atmospheric event.
Acceptance: I use the car normally, if it gets damaged I will have it repaired.
Rejection: I don't buy a car, I use public transport or car-sharing services.
Mitigation: I carefully check the weather forecast before using the car and make sure I have covered parking available.
Transfer: I purchase the option for damages caused by weather events in the car insurance.
There are two other possible, but not recommendable behaviors, unfortunately frequent:
And. Being unaware of the existence of the risk.
f. Be aware of it and ignore it.
It's the job of Fractional CISO actively support the Company to consciously determine the type of response to adopt for each risk.
This is a key phase as the decisions made will guide the Security Program.
