An Introduction To
Information, Network and Internet Security
Show table of contentsGlossary

Risk mitigation

Types of control

Risk mitigation is the process of introducing controls to reduce the frequency or severity of a business impact. This can be done in a number of different ways, depending upon the type of control:

·         Deterrent control - reduces a threat;

·         Preventive control - reduces a vulnerability;

·         Corrective control - reduces an impact;

·         Detective control - detects a problem and triggers other controls.

The way in which these different types of control interact with the components of risk is shown below.

Figure 5 - The relationship between risk assessment and selection of controls

In order to fulfil the optimisation goals of risk management, one must carry out a cost/benefit analysis of each control - is the total cost of this control greater or less than the total cost equivalent of the risk reduction being achieved through this control? Only if the cost of control is less than the cost of the risk will it be cost-effective to implement the control.

The Security Practitioner

An Introduction to Information Security