Developing Mitigating Recommendations
After performing the analysis, specific recommendations can be provided to management. These recommendations should mitigate the risks. The data that has been collected can be included to support the recommendations.
Supporting data may include:
- Threat/vulnerability pairs
- Estimate of cost and time to implement
- Estimate of operational impact
- Cost-benefit analysis
Threat/Vulnerability Pairs
The recommended controls should address specific risks. A risk occurs when a threat exploits a vulnerability. If a threat doesn’t exist to exploit a vulnerability, a risk doesn’t exist. Similarly, if a vulnerability doesn’t exist that a threat can exploit, a risk doesn’t exist.
For example, malicious software is ...
Get Managing Risk in Information Systems, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
