Talk:Risk control strategies

Does not seem to reflect a widely accepted standard framework & Terminology

This article seems to be based on the framework & terminology of a single source "Management of information security", rather than a widely accepted standard framework & terminology.

Starting with the title, Risk Control Strategies doesn't sound right, and does not seem to be common in the literature. Risk Management is commonly used, but might be too broad for this article. A surprisingly common terminology is "Risk Mitigation", which is a bit awkward given that Mitigation is one of the approaches/options. Others are "Risk Treatment", "Risk Response", and "Risk Handling"^[1][2][3] but not sure those make good titles (unless we preface with the word "Security"); however, perhaps they would work as subtitles for a larger article on "Risk Management".

The breakdown into: Defense, Transferal, Mitigation, Acceptance, Termination does not seem widely accepted, particularly the Termination & Defense (The Termination approach seems rare (at-least as a separate category), and what is termed "Defense" is usually under Mitigate/Reduce/control). The universal 4 seem to be: Transfer, Accept, Avoid, and Mitigate/Reduce/control. Various sources use alternative terms that are alternatives for, or fall under, those 4. (See note for details^[a])

- Yaakovaryeh (talk) 05:40, 31 December 2021 (UTC)

notes

1. Surveying about 30 reliable sources (found by Googling the terminology currently used on the page) on the topic returned the following frequency breakdown (for roots, ignoring suffixes like -ing, -ance, and -ion): Transfer ~ 30, Accept ~ 25, Avoid ~ 25, Mitigate ~ 15, Reduce ~ 10, control ~ 10, Shar ~ 5, Assum ~ 4, Treat ~ 3, Insur. (Rarely used terms - 2: terminat, retention, Spread, Prevent, Monitor/watch; 1: Remov, Limit, Planning, Research & Acknowledgment, Tolerate, Deter, Assign, Reject, Ignore.) For general expression/heading - Risk: Mitigation ~ 10, Management ~ 10, Response ~ 7, Treatment ~ 5. The sources are as follows:
   
   
   • Most common: Mitigat-, Accept-, Avoid-, Transfer-.^{[4][5][6][7][8][9][10][11]}
     
   • 2nd most common: Accept (with monitor/watch), Avoid, Transfer, Control^{[1][12][13][14][15][16]}
     
   • Title/headings removed due to combining the pervious 2 breakups: Risk Management Strateg(y/ies)^{[12][13][14][8]}, Risk mitigation options^[15], Risk Mitigation/Treatment/Handling^[1]; Managing Risk^[4], Risk decisions^[4], Response Actions^[5], Risk Response Identification^[6], Risk mitigation Strategies^[17][16][7], Risk Management^[9], Treatment^[10]
     
     
   • Others:
   Risk response (/Mitigation): Accept, avoid, mitigate, share, or transfer^[18]
   Risk Mitigation Options: Assumption, Avoidance, Limitation, Planning, Research & Acknowledgment, Transference^[19]
   Risk treatment: acceptance, transference, reduction... treat... treat... terminate.^[20]
   Risk Response/Treatment Strategies: acceptance, mitigation, transference.^[2]
   Risk Treatment: Reduce likelihood, reduce consequences, transfer, retention.^[3]
   Risk handling techniques including, Risk: Controls, Avoidance, Assumption, Transfer.^[3]
   Risk Mitigation: acceptance (and monitoring), avoidance, transfer, control, Burn-Down^[21]
   Risk responses: Reduce/mitigate, Assign/transfer, Deter, Avoid, Reject/ignore^[22]
   Risk Response: Prevent, Mitigate, Reduce, Cooperate, Insure, Avoid, Assure, Control, Share^[23]
   Risk Management Type: Retain, Mitigate, Elimination, Avoiding, Acceptance, Transfer^[24]
   Security risk management: accept(ing), mitigat(ing), eliminat(ing), transferr(ing), avoid(ing)^[25]
   Risk Mitigation Strategies: Avoid, Removal, Reduction, Spread, Transfer, Insurance, Accept, Retention (most common), Sharing^[17]
   Risk responses/mitigation: avoid, transfer, insure, eliminate, control, assume^[26]
   Risk Mitigation Strategies: Assume/Accept, Avoid, Control, Transfer, Watch/Monitor^[16]
   Risk Management approach: Terminate, Tolerate, Transfer, or Treat^[27]
   Risk Mitigation: reducing, sharing, transferring, or avoiding^[28]
   Approaches to risk mitigation: Accept, Avoid, Reduce likelihood, Impact mitigation, Transfer...^[29]
   Risk treatment/mitigation methods: prevention, reduction (of effect), transference, contingency, Acceptance^[29]
   Risk Analysis and Mitigation: mitigated, transferred, or accepted^[30]
   Treatment: Remediation, Mitigation, Transference, acceptance, avoidance^[31]
   Avoidance, Retention, Sharing, Transferring, Loss Prevention and Reduction^[32]

1. "Risk Management Overview". Defense Acquisition University. Defense Acquisition University.
2. "Risk Management Plan" (PDF). The U.S. National Archives and Records Administration. The U.S. National Archives and Records Administration. 2010.
3. Gaidow, Svetoslav; Boey, Seng (2005). "Australian Defence Risk Management Framework: A Comparative Study" (PDF). Defense Technical Information Center. DSTO Systems Sciences Laboratory.
4. Touhill, Gregory J.; Touhill, C. Joseph (2014). Cybersecurity for Executives: A Practical Guide. John Wiley & Sons. p. 72. ISBN 978-1-118-90880-8.
5. Panuwatwanich, Kriengsak; Ko, Chien-Ho (2020). The 10th International Conference on Engineering, Project, and Production Management. Springer Nature. p. 424. ISBN 978-981-15-1910-9.
6. Virtue, Timothy; Rainey, Justin (2015). "Chapter 6 - Information Risk Assessment". HCISPP Study Guide. Elsevier Science / Syngress. pp. 131–166. ISBN 978-0-12-802043-2.
7. Wheeler, Evan (2011). "Chapter 8 - Risk Evaluation and Mitigation Strategies". Security Risk Management. Syngress. pp. 147–162. ISBN 978-1-59749-615-5.
8. "Defense in Depth: Foundation for Secure and Resilient IT Enterprises" (PDF). Carnegie Mellon University. 2006.
9. South, Michael (2018). "Scaling a governance, risk, and compliance program for the cloud, emerging technologies, and innovation". Amazon Web Services.
10. Hinson, Gary (2009). "Treating risks". (ISC)² Blog.
11. Starnes, Richard (2016). "How to manage cyber risk". CSO Online.
12. "The Risk Management Process: An Interagency Security Committee" (PDF). CISA. U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, Interagency Security Committee. 2021.
13. Gervasi, Osvaldo; Murgante, Beniamino; Misra, Sanjay; Garau, Chiara; Blečić, Ivan; Taniar, David; Apduhan, Bernady O.; Rocha, Ana Maria A. C.; Tarantino, Eufemia; Torre, Carmelo Maria; Karaca, Yeliz (2020). Computational Science and Its Applications – ICCSA 2020: 20th International Conference, Cagliari, Italy, July 1–4, 2020, Proceedings, Part IV. Springer Nature. p. 846. ISBN 978-3-030-58811-3. Risk Management Strategies strongly depend on the reference context and the scope of application. The DOD recognizes 4 categories of risk management intervention. ACAT is an acronym for Avoid, Control, Accept, Transfer...
14. "The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard" (PDF). Department of Homeland Security. Interagency Security Committee. 2013.
15. Emmons, Debra; Mazzuchi, Thomas; Sarkani, Shahram; Larsen, Curtis (2018). "Mitigating Cognitive Biases in Risk Identification: Practitioner Checklist for the Aerospace Sector". Defense Acquisition Research Journal. 25 (1): 52–93. doi:10.22594/dau.16-770.25.01. ISSN 2156-8391. The DoD risk-mitigation options include acceptance (and monitoring), avoidance, transfer, and control (DoD, 2017)
16. "Risk Mitigation Planning, Implementation, and Progress Monitoring". MITRE. MITRE. 2015.
17. Fennelly, Lawrence J.; Perry, Marianna A. (2017). "Part 2 - Assessing Risk and Vulnerabilities". Physical Security: 150 Things You Should Know (Second Edition) (2nd ed.). Kidlington, United Kingdom: Butterworth-Heinemann. pp. 79–96. ISBN 978-0-12-809487-7.
18. National Institute of Standards and Technology (NIST):
    • "risk response - Glossary | CSRC". csrc.nist.gov. NIST.
    • "Guide for Conducting Risk Assessments" (PDF). NIST. NIST. 2012.
    • "Managing Information Security Risk" (PDF). NIST. NIST. 2011.
19. Stoneburner, Gary; Goguen, Alice; Feringa, Alexis (2002). "Risk Management Guide for Information Technology Systems" (PDF). NIST. NIST.
20. "NCSC Certified Cyber Professional (CCP) Assured Service" (PDF). NCSC. National Cyber Security Centre.
21. "Department of Defense Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" (PDF). Department of Defense. 2017.
22. Chapple, Mike; Stewart, James Michael; Gibson, Darril (2018). (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (8th ed.). John Wiley & Sons. ISBN 978-1-119-47587-3.
23. Olson, David L.; Wu, Desheng (2020). Enterprise Risk Management Models. Springer Nature. ISBN 978-3-662-60608-7.
24. Ahmed, Syed M.; Hampton, Paul; Azhar, Salman; Saul, Amelia D. (2021). Collaboration and Integration in Construction, Engineering, Management and Technology: Proceedings of the 11th International Conference on Construction in the 21st Century, London 2019. Springer Nature. p. 468. ISBN 978-3-030-48465-1.
25. Conrad, Eric; Misenar, Seth; Feldman, Joshua (2017). "Chapter 1 - Domain 1: Security risk management". Eleventh Hour CISSP® (Third Edition). Syngress. pp. 1–32. ISBN 978-0-12-811248-9.
26. "The Owner's Role in Project Risk Management". The National Academies Press. 2005. doi:10.17226/11183. {{cite journal}}: Cite journal requires |journal= (help)
27. Odell, Laura A. (2016). "Data to Decisions—Terminate, Tolerate, Transfer, or Treat". Institute for Defense Analyses. Institute for Defense Analyses.
28. "Information Security Risk | Security Program and Policies: Governance and Risk Management | Pearson IT Certification". www.pearsonitcertification.com. Pearson Education. 2014.
29. Dresner, Daniel Gideon (2011). "A study of standards and the mitigation of risk in information" (PDF). Manchester Business School. Manchester Business School.
30. Stevens, James F. (2005). "Information Asset Profiling" (PDF). Carnegie Mellon University Software Engineering Institute. Carnegie Mellon University.
31. "Information Security Risk Management (ISRI)". Rapid7.
32. Yu, Jea. "5 Basic Methods for Risk Management". Investopedia.