1. When a vulnerability exists, implement assurance techniques to reduce
the likelihood of a threat exploiting a vulnerability. For example,
review user access rights to critical information technology systems on
a periodic basis to determine if access is appropriate.
2. When a vulnerability can be exploited, apply defense in-depth strate-
gies and administrative controls to minimize the risk or prevent
the occurrence. For example, layer controls to protect against a single
3. When an attacker’s cost is less than the potential gain from exploiting
a vulnerability, reduce motivation by increasing the cost to exploit the
vulnerability. For example, implement segregation of duties to increase
the amount of time it will take an attacker to subvert security controls.
4. When the loss potential is too great to sustain, apply strong design
principles and implement technical and nontechnical controls to limit
the extent of the attack, thereby reducing the potential for loss. For
example, design processes in the most secure fashion, author strict
procedures for operation, and surround the processes with effective
technical controls such as data encryption.
Control Implementation Methodology
When implementing controls, it is wise to address the greatest risks ﬁrst,
strive for risk mitigation at the lowest cost, and implement controls with the
least impact on business operations. Control implementation is a multistep
Prioritize Actions—From the risk determination subprocess of the risk
assessment, risks have been categorized as high, medium, or low. When
allocating resources, unacceptable risks with high ratings should be
addressed ﬁrst. These high-risk areas typically require immediate cor-
rective action to protect a vulnerability from being exploited.
Evaluate Recommended Control Options—Controls recommended in
the control recommendations subprocess of the risk assessment need
to be further analyzed for their ﬁt with the business. Both the feasi-
bility and the effectiveness of the recommended controls should be
scrutinized to determine if the control is an appropriate ﬁt and mini-
mizes risk to an acceptable level.
Perform a Cost-Beneﬁt Analysis—To assist senior management and
business owners in selecting cost-effective controls, a cost-beneﬁt
analysis should be performed. Cost-beneﬁt analysis is described in
depth later in the risk mitigation process.
Control Selection—Using the results from the cost-beneﬁt analysis,
management can determine the most cost-effective controls for reduc-
150 Strategic Security Management