cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Risk transfer

In terms of risk management, there are our four basic strategies: risk avoidance, risk acceptance, risk mitigation, and risk transfer.

 

Risk avoidance is fairly simple: if the game isn't worth the candle, don't do it.  If the risk, in terms of both factors of impact and probability, is any greater than the potential benefit, then we simply don't get involved in that activity or situation.  Or, more often, if the reward we aren't going to get from this isn't much greater than the risk, then we don't pursue the risk.

 

Risk acceptance is more complicated.  Risk acceptance should be the calculated decision that the gain is much more than the potential loss, and so we will accept the risk.  However, most often risk acceptance is simply the fact that we want to do something, and we blindly accept the risk without knowing what that risk actually is.  The decision to drive drunk is based on a) the fact the we want to drink, and b) the fact that, by the time closing time comes, we are far too drunk to do any kind of risk calculation at all.  The decision to go to a party during a pandemic has everything to do with the fact that we are bored, and nothing to do with the probability of encountering someone who might be infected (currently likely around 50%), and the risk that, if infected, we might die (generally about 2%).

 

(Psychology, social dynamics, and social engineering come in at this point.  Study after study shows that "successful," in terms of non-inherited money or running large corporations, people are much less risk averse and much more risk accepting than the general public.  This holds true even if the risk is demonstrably unlikely to come out in their favour.  This is unlikely to say anything about optimal risk strategies, since human beings have been tuned, by millions of years of evolution, natural selection, and avoiding sabre-toothed tigers in the savannah, to a certain range of risk acceptance and risk avoidance.  It is much more probable that it says something about the artificiality of modern, primarily capitalist, societies.  [The sample size is rather small, since we are not talking just about the one percent, but the vanishingly small proportion who manage to move into one percent from outside of it.]  It also says something ironic and contraindicating about CEOs of large corporations, since startups are much more risk accepting, having little or nothing to risk, while large corporations, having infrastructure, capital, and branding goodwill to risk, are generally much more risk averse.  And, again in terms of general risk acceptance, note that, while we remember and celebrate all the startups that go on to become large corporations, most startups, and many, many more than succeed, fail within the first year.)

 

Risk mitigation is the bulk of what we think about when we think about risk management.  Mitigation is all the assessment, analysis, safeguards, controls, countermeasures, metrics, that we spend most of our time discussing, writing about, and teaching.  So I won't go into that here.

 

Risk transfer is a way to shift our risk onto somebody else.  Most of the time, when we come to risk transfer, the only thing we can think of is insurance.  Go ahead.  Do a quick search on risk transfer on the ISC2 "community."  Of the five items that come up, two obviously are about insurance, one actually is about insurance, and the remaining two just mention risk transfer without actually talking about it.

 

However, the CoVID pandemic has provided us with a new example of risk transfer: food delivery.  We are afraid to go out--it's dangerous out there.  So we pay other people to go out there for us, and bring us food (and other necessities).  We thus transfer the risk to them.  As noted, it's not just meal deliveries: we now have a much greater use of grocery deliveries, and online shopping of all kinds.  We are staying home, in a dangerous time to go out, and getting other people to go out and take those risks for us.

 

Although I'm grateful for the example of risk transfer (and I'm only sorry I thought about this too late to get it into the book), I'm not a big fan of food delivery, in general.  It's a big part of the "gig economy," and the gig economy is a massive "race to the bottom" in terms of wages and working standards.  (The gig economy is also, at least partly, being used by corporations to outsource both costs and risks, which is, again, ironic in view of the fact that the pandemic has also demonstrated the inherent brittleness of the business practice of endlessly trimming any and all margins in the name of "efficiency.")  Capitalism in general is currently driving growing inequities, and the gig economy may be pushing for the development of a massive underclass as there was in the eighteenth and nineteenth centuries (and likely the cause of much violence, revolution, and war then and later).  In terms of the pandemic risk, we are seeing case clusters and outbreaks in fulfillment centres such as Amazon, but the delivery workers, of all types, are becoming the largest and most unregarded class of essential workers.  Unfortunately, the risk of illness to them is hard to measure, and probably will not be properly calibrated until careful studies are done, probably years from now.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
3 Replies
AppDefects
Community Champion

Re: Risk transfer

@rslade are you really 116?

 

"Robert Slade has had an extensive and prolific career in Management, security, and telecommunications research (26 years), analysis (29 years) and consultancy (21 years), as well as being an educator visiting universities and delivering lecturers and seminars (40 years)."

 

Ps. The book is a nice read. The world thanks you.

rslade
Influencer II

Re: Risk transfer

> AppDefects (Community Champion) mentioned you in a post! Join the conversation

> @rslade are you really 116?

Kids. I'm surrounded by kids.

Yes, I'm very old.

I was *born* old ...

>   Ps.
> The book is a nice read. The world thanks you.

Thank you, and quite welcome 🙂

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CISOScott
Community Champion

Re: Risk transfer

A quick note about the "gig" economy you referenced. While it may seem like a race to the bottom to some, keep in mind that it does offer some benefits. I have two children who are currently engaged in this "gig economy". They find it reassuring that they can go make some quick money when they can and not be burdened by a set schedule (they are in college now). If they get to feeling bad, they can just stop working (after completing the delivery they have accepted of course) and then go home. No need to convince a boss that you feel bad or get someone to cover your shift. The company wins because there are far fewer HR hassles to deal with and benefits to hand out. So for some people and companies, it is a win-win. They actually like it because it allows them to bank several trips and then cash out when they need it. They also like the surprise of tips coming in up to several days later. It doesn't pay great because not much skill is required to follow a list or just go pick up the order and deliver it. It would suck as a full-time job as it offers no benefits, etc.. But for those needing short-term employment on their schedule, it works. Now it is not for everybody, but for the knowledge required, it allows a freedom to go make some money when they want to. Also for some consumers it is also a win. Someone can do their shopping and all they have to do is pay a little fee. There are plenty of businesses that do virtually the same thing, i.e. oil change places, fast-food, etc.. They do services for people that people are willing to pay someone else to do. Heck, in information security we often outsource things we either a) do not have the talent in-house to handle or b) or fills a temporary need. I don't see much difference in hiring a contractor to do something versus the gig economy.