By understanding the characteristics of each analysis method and using the appropriate method to conduct risk assessment for the system being analyzed, latent risks in systems can be identified and evaluated properly. After the evaluation, the next step is risk treatment based on the results of the risk assessment.
Risk treatment is the process of formulating plans for dealing with risks identified through risk assessment and of implementing the formulated measures. There are four methods of dealing with risk: risk acceptance, risk mitigation, risk avoidance, and risk transfer. The choice of which method to be used for each risk is made by considering the results of the risk assessment.
When the likelihood of a risk becoming manifest is low, or when the impact of a risk on the system and on business would be low if it were to manifest itself, the risk can be accepted, without implementing measures. This decision is made holistically, taking into consideration factors such as the cost of implementing measures. There are times when risks are acceptable due to their particular characteristics, such as when measures are not feasible.
Security measures are used to…
