Talking about risk is just talking about a possible chain of events that in a certain point (or points) hurts us. The hurting point is the impact, the loss with its probability coming from the attributes of the links of the chain. If we assessed those possible chains and we found it reasonable, we can still decide to block preceding links from the path to mitigate the risk.
The superclass of the risk event is quite simple, there is a threat that exploits some vulnerability which results the impact. Then the impact will be materialized in some loss or as a threat it can even trigger an other link in the chain that exploits an other vulnerability.
We can break the chain in certain points.
First let’s see the threat. Behind the initial threat there is always some sort of tension: human race, electric potential, movement of tectonic plates and so on. However most of those are hard to avoid, we definitely have couple of weapons here. For example for human originated threats deterrence, motivation, communication or trainings as threat preventions are possibilities to stop the flow in the very beginning (actually deterrence will not really release the tension, but in certain cases does its job). If we fail to avoid the threat, the threat event will be triggered and it will start the flow.
The next step of the flow is the vulnerability. In short, most of our prevention and protection controls should be applied here. Platitudinous, but security and quality by design works well. If prevention and protection fails we are definitely facing to and impact and some loss.
The loss will be the highest if we cannot even detect the event. If we can, we still have to contain and remediate to mitigate the impact. With quick and efficient remediation we can reduce the loss.
If we want to model the flow, it would look something like this.
So these are the steps and interruption possibilities of the risk event flow. It’s generic enough to apply not only for the information security but other fields of management as well. A great example for this is the case of Pope Innocent III.
It is considered that at his age and beyond Pope Innocent III was the most stronger Catholic leader. Not because of his faith, but because he managed to strengthen the power of the church, and achieved that all the kingdoms across Europe accepted this power. The papal institute has never been so widely determinative and rich before, so he had definitely lots to lose. And not just the impact was high, but you can imagine the threat, so at the probability. Several alliances with different interest, several religious movements with different thoughts threatened the power of the Church. Amongst those the most biggest and probably the most dangerous was the Catharism. The Cathars were a group of Christians in southern Europe think differently, believing that the the physical world is just evil, however the spirit must be glorified. But most importantly they have not accepted the power of Church so the pope. As their group grew, the threatening became bigger and bigger.
To his fortune (and misfortune of others) Pope Innocent III was a great risk manager. He realized the risk, identified the threat and managed it. First, as he wanted to use the less expensive mitigation options, sent delegates to proselytize the heretics – without any real success. Then he has tried some stronger push, excommunication of noblemen, promised all the goods of Cathars to those who help to stop the movement. However – not surprisingly – the amount of the volunteers was remarkable, the risk was still not mitigated. As a final solution, Pope Innocent III launched the crusade. With its 20 years of fighting, political and economical consequences and the human sacrifices this was one of the most expensive threat responses of that age. But finally with the Cathars, the pope managed to eliminate the threat, moreover it was neither bad for a kind of deterrence.
But the head of the Church was even better in risk management. He has realized that the main reason why the Cathars were so popular was because the Church was turned away from the people. He has not just identified the vulnerability that might be exploited, but also had a mitigation action. The mitigation action was delivered by no one else, but a guy called Francesco from Assisi. Francesco (or Saint Francis of Assisi as he become famous) and couple of his followers approached the pope with an intention to found an order to serve the Lord. The proposal were accepted by Innocent, so the Order of Friars Minor became the human face of the Church and with this the vulnerability has been mitigated quite efficiently as well.
I don’t believe that conclusion needs overclarification. If one wants to mitigate a risk by cutting the flow, it’s better to start with the cheapest but most efficient, and continue only if that doesn’t work. And of course you don’t want to put all your eggs in one basket. It is always more efficient to have more controls over the risk flow than just one. Security in depth matters.
The ironic is by the way that Francis told more or less the same that the Cathars did, but without the rejection of the power of Church and the papal institute, so there were less deviation from the principles to overlook.