Security Risk Management

Risk is a part of life. There is little anyone can do that doesn’t come with risk. So while risk can’t ever be completely avoided, most people try to minimize risks where they can, so they aren’t facing the consequences of risks at every stage of a process. This same concept applies to cyber security as well. There is always the risk of a breach or an attempted attack, but security experts will work to try and mitigate as many risks as possible and respond appropriately.

That, essentially, is what security risk management is. Security risk management is identifying security risks and determining the likelihood of a threat breaching security, taking advantage of a vulnerability, or harming assets. In addition, security risk management also includes planning how to address these risks and keep the risks as minimal as possible. It’s important to remember that it’s impossible to eliminate all risk, so the goal is to manage risks to reduce threats escalating.

Why is security risk management so important? There is always a risk of a breach or harm to assets, and it’s amplified by how many places this risk could arise. Devices are a part of nearly every aspect of everyday life, from mobile phones to laptops used for working from home to hospital equipment to educational tools. Each of these devices has risks associated with it, and each device on a network poses a risk to the entire network.

So there’s always risk. That’s why security risk management is so important. It’s a way to help identify the risks to your network and your customers, find where those risks could escalate, and try to minimize them.

There are specific stages for security risk management. Read on to learn more about those stages and security models and roles.

Stages for Security Risk Management

There are five stages or steps for security risk management: identification, assessment, treatment, communication, and repetition. Here is a more in-depth explanation of each of these steps and their aspects.


There are multiple facets of identification that are important for security risk management. These are each of the steps for identification:

  • Asset identification. The first step is to identify the assets an organization has. What are its more important parts? It’s important to consider what assets would most affect an organization if there were a breach of security. Where would an organization lose confidentiality or integrity? These assets are the most important to protect and to minimize risks to. It’s important to identify these assets to know what to prioritize with security risk management. For example, a company with confidential information like social security numbers would need to prioritize security around that asset to protect the business and its customers.
  • Vulnerability identification. Vulnerabilities are any weaknesses or deficiencies that might put assets at risk. Vulnerabilities can be in software and security systems themselves, or they can even be a part of organizational processes that could end up putting information at risk. The key is to identify any area that could pose a high risk to important assets.
  • Threat identification. Before threats happen, it’s important to identify what potential threats could be, so an organization can properly prepare for those situations. This step is to identify what threats might utilize vulnerabilities and put assets at risk. Some threats might be industry specific. If competitors and other industry companies are facing threats from certain types of attacks or hacking groups, that would be a threat worth noting. Threats to data security can also be more physical. For example, if a data server with confidential information is in an area with frequent natural disasters (like a tornado) data could both be lost or accessed.
  • Controls identification. Controls are anything already in place to protect assets. A control might directly address a vulnerability or work to lessen the impact of a breach, it might be a cyber security feature, or it might be a feature that deletes old users to prevent later access.


Once information is gathered, it’s time to assess. Assessment is combining and analyzing all of the information about assets, vulnerabilities, threats, and controls to gain a better understanding of the bigger picture. A very simplified way of thinking about assessment is with this formula:

Risk = (Threat x vulnerability x asset value) – security controls


Once all the information has been assessed, an organization needs to choose treatments to help with the risks. These are some treatment options:

  • Remediation. Implementing a control that fully or nearly fully fixes a risk. For example, if a company faces the risk of losing data to a software vulnerability, a remediation approach would be to apply the patch and close off that vulnerability. This treatment is only an option if there is a solution that can almost completely fix a risk.
  • Mitigation. Mitigation can mean lessening the chances that a threat will occur, or it could mean reducing the impact if something does happen. For example, an organization might find a vulnerability with the server locations, so controls are put in place to reduce the risk that something might happen to lead to a data breach. Or an organization might find that there is no way to completely prevent something, so the security team puts controls in place that keep the consequences as minimal as possible.
  • Transference. Transference is moving some or all of the risk of a breach taking place to another entity. One common example is purchasing insurance that will assume the financial risk if something happens that qualifies under the policy. Typically, transference treatment is supplemental to other treatments and not the only approach an organization should take.
  • Risk acceptance. Sometimes the costs of remediating or mitigating risk are higher than the consequences of a breach or vulnerability. In these cases, it can be better to simply accept the risk. For example, if there is a server vulnerability but the information on the server is non-sensitive, it may be a better use of time and resources to focus on other risks and to simply accept this risk.
  • Risk avoidance. Risk avoidance is moving all exposure to a risk. For example, if an organization uses an operating system but no longer supplies patches, a risk avoidance strategy would be to migrate to a new operating system that does issue patches. Now the risk from the old operating system is gone because sensitive data isn’t exposed to the risk anymore.


Once a treatment (or multiple treatments) plan has been chosen, it’s important to communicate that within the organization and stakeholders. Stakeholders need to understand the rationale for accepting a risk or avoiding it entirely. It’s also important to communicate responsibilities, so the right people know their responsibilities.


Security risk management is a cycle, and it doesn’t end. Any changes can mean reevaluating the current treatment in place. Even if nothing changes, monitoring the treatment and adjusting where and when necessary are crucial to maintaining security risk management. So once the end of the stages is reached, the cycle begins again.

Security Models for Security Risk Management

A security model is a necessary step for security risk management and should align with the organization’s objectives. A model helps an organization determine how a security process might work and where problems could arise. There are two main goals of a security risk management model:

  • Have controls in place that support an organization’s mission and overall goals
  • Make decisions based on the risk tolerance of an organization

These two goals will mean that each organization’s security models will look different because each organization has a different mission and level of risk tolerance. For example, a prestigious finance company will have a low-risk tolerance for security breaches and have controls that support keeping customer data as confidential as possible.

There are various types of goals that support these two main goals:

  • Operational goals. Operational goals focus on productivity and task-oriented accomplishments that help move management functionality forward. Setting daily goals or other types of goals helps organizations stay on top of operational processes.
  • Tactical goals. Tactical goals involve moving computers into domains and segregating networks. A tactical goal could also include installing a firewall. Tactical goals can even mean integrating resources into one domain to achieve more goals.
  • Strategic goals. Strategic goals are long-term goals. It might be integrating wireless communication or making other strategic or long-term changes to improve security.

Security Risk Management Roles

Security risk management involves many roles that need to be aligned with organizational values and therefore need to be well-defined to ensure risk management runs smoothly. There are two main categories of roles in security risk management:

  • Process owners. Process owners are people responsible for the actual risk management processes and business processes. These people drive processes forward and need to be responsible for knowing where the vulnerabilities are in their processes. A finance team is an example of a process owner.
  • Risk owners. Risk owners are responsible for ensuring that risks are treated accordingly. Risk owners pay for the risks from their budget, so they are typically invested in managing risk appropriately.

Often, the process owners are easy to pinpoint. It’s most likely the team that is trying to accomplish something at a given time. It may take some evaluation to determine who is financially responsible for the risks and therefore the risk owners, but it’s important to do so to ensure that every risk is properly managed and taken care of.

Ready to Get Started?

Security risk management is complex. There are many stages with steps within them, and there are roles and models to manage as well. It may seem overwhelming to know how to begin with security risk management. Luckily, you don’t have to manage your organization’s risks on your own. Ontinue is an expert in security risk management and can help you and your organization mitigate, detect and prevent cybersecurity risks.

There’s no security risk management challenges that our experts here at Ontinue can’t handle. So don’t let the extensive nature of security risk management keep you from protecting your organization and data. Request a demo today!