week 18
K1.18 The considerations in the design of a risk mitigation strategy:
A risk mitigation strategy outlines how an organisation plans to reduce or control risks to its digital systems and services. To be effective, it must be carefully designed with several key factors in mind.
Risk Response
You must first decide the type of response for each identified risk. This forms the foundation of the mitigation strategy.
| Response Type | Definition | Example |
|---|---|---|
| Accept | Take no action because risk is low or manageable | Allow minor printer downtime once a month |
| Avoid | Eliminate the risk by changing plans or approach | Cancel a risky software upgrade |
| Mitigate | Take steps to reduce the chance or impact | Add firewall rules to reduce likelihood of intrusion |
| Transfer | Pass risk to another party (e.g. through insurance) | Outsource backup responsibilities to a cloud provider |
User Profile
Consider the users involved in or affected by the mitigation plan. Different users have different needs and ability levels.
| User Consideration | Example |
|---|---|
| Requirements | Mobile users may need secure remote access |
| Ability Level | Non-technical staff may need simple instructions |
Make sure security measures (e.g. password policies, multi-factor authentication) are appropriate and accessible for the intended users.
Cost and Benefit
Analyse the cost of mitigation against the potential impact of the risk. This helps justify whether it’s worth implementing.
| Question to Ask | Example |
|---|---|
| Is the solution affordable? | Is upgrading to enterprise antivirus worth the £2,000 cost? |
| Is the benefit greater than the risk? | Will a £500 UPS save more than that in downtime prevention? |
Use cost-benefit analysis to support decision-making.
Assign an Owner of the Risk
Each risk should have a clearly defined risk owner – the person or team responsible for:
-
Monitoring the risk
-
Ensuring the mitigation actions are followed
-
Updating the risk’s status
| Example | A network administrator is assigned as the owner of the risk of firewall misconfiguration. |
This adds accountability and ensures the risk isn’t ignored.
Escalation to the Appropriate Authority
If a risk becomes too severe or cannot be resolved at a lower level, it should be escalated to management or another senior decision-maker.
| Example | A system vulnerability cannot be patched without budget approval, so it’s escalated to the IT Director. |
Escalation ensures critical decisions are made by those with the correct authority.
Planning Contingencies
Develop backup plans in case mitigation fails or the risk becomes reality. This includes:
-
Failover systems
-
Alternative access routes
-
Manual procedures
| Example | If the primary server fails, a contingency plan switches operations to a cloud-based backup server. |
Contingency planning reduces downtime and disruption.
Monitoring and Reviewing Process
Once a risk mitigation strategy is in place, it must be monitored and reviewed regularly to ensure it still works and is up to date.
| Activities Include | Log reviews, testing controls, user feedback, security audits |
|---|
Threats evolve – risk strategies must adapt too.
Design a Risk Mitigation Strategy
Scenario:
You’re designing a mitigation plan for the following risk: “Unsecured USB ports allow malware infections.”
Task:
1. Choose a risk response.
2.Consider:
- Who the users areCost vs benefit
- Who will own the risk
- What the escalation route would be
- What your contingency plan is
- How the plan will be monitored
Extension: Create a short presentation outlining your strategy to a management board.
Class discussion on encryption as a risk mitigation technique, including different types of encryption, including data at rest and in transit.
Back it up, pack it in, let me begin
In small groups of 2-3 create a collaborative presentation that considers back-up techniques that will support risk mitigation.
Your presentation should identify:
- The purpose of backups.
- Back up criteria (for example, frequency and storage).
- Type of backup (for example, full or incremental).
Last Updated
2025-07-14 12:18:16
English and Maths
English
Maths
Stretch and Challenge
Stretch and Challenge
- Fast to implement
- Accessible by default
- No dependencies
Homework
Homework
Equality and Diversity Calendar
How to's
How 2's Coverage
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|
Files that support this week
Week 17←
PrevWeek 18←
PrevWeek 19←
Prev→
Next