Information Technology Reference
In-Depth Information
Risk Mitigation-Diminishing ROI
(Asymptotic Nature)
100%
}
Optimal
Mitigation
0%
Cost
Figure K.1
risk mitigation.
policy
Although a separate security policy for E-insurance is overkill, a risk manage-
ment policy may state something to the effect of:
Company X proactively identifies
and manages risks to our organization and the services we provide our customers while
balancing the expense with the interest of our stakeholders (e.g., investors). Effective
risk management includes defining risk that we will accept, risk that we will mitigate,
and risk we will share or transfer.
This policy statement is generic, but provides
the foundation for exploring risk management options that include insurance and
E-insurance.
iA
2
perspectie
Risk mitigation gets closer to 100 percent with each increase in security invest-
ment, but never quite reaches 100 percent; there is always residual risk. Therefore,
part of the architectural challenge (your challenge) is to optimize mitigation invest-
ments via security measures and share or transfer the residual risk by some other
means—one of those means is insurance coverage. Figure K.1 shows the asymp-
totic nature of risk mitigation investment. The question is what to do with residual
risk—accept, share, or transfer?
Risk Sharing/Transfer
Insurance coverage is one method to share or transfer risk. Transferring all risk may
appear an attractive option and a way to avoid risk mitigation investment; however,
“Policy” in the sense of policy-procedure-standard, not insurance policy.
