Cybersecurity risk response

The responses to positive and negative risks are vastly different. For negative risks, you take steps to minimize the impact on the outcome, but for positive risks, you take steps to maximize the impact on the outcome. The following table shows potential responses to positive and negative risk.

Risk type	Response	Definition
Positive risk	Exploit	Maximize the probability or likelihood of the risk occurring in order to realize its positive effect.
	Share	Allocate part of the ownership of or responsibility for the risk to another party. This is the same approach as with a negative risk, and it tries to control the potential loss or gain.
	Enhance	Increase the conditions that create the risk in order to maximize the opportunity.
	Ignore	Disregard the possibility of the risk, and take no action. This response is common when the probability of the risk is very low or when the benefits of potential positive outcome are minimal.
Negative risk	Mitigate	Minimize the probability or likelihood of the risk occurring.
	Transfer	Shift responsibility or liability for the risk to another party, such as purchasing an insurance policy to transfer the risk to an insurance company.
	Avoid	Eliminate the conditions that create the risk.
	Accept	Acknowledge the existence of the risk but take no action.

For negative risks, organizations avoid, transfer, mitigate, or accept the risk, based on their risk tolerance and appetite. They try to prevent the risk from occurring, and if it does, they try to minimize its impact on the overall mission.

The best way to illustrate the positive risk responses is to use examples:

Exploit – A security executive learns that a well-qualified security professional has recently decided to seek new employment and arranges a generous signing bonus to entice the prospective employee to his team.
Share – A business unit leader would like to improve security by using a privileged access management product but doesn’t have a sufficient budget to purchase the tools and services in the current fiscal year. The leader works with a leader from a different business unit who will purchase and implement the tool as a pilot project and later expand installation to support both business units.
Enhance – An employee has identified an opportunity to automate an existing business process to reduce cybersecurity threats, but it requires an investment in time and equipment. Seeing the positive benefits of such a process, the manager approves overtime labor hours to develop the capability and repurposes existing hardware and software resources that enable the project to proceed.
Ignore – A finance executive learns that an employee working in the sales department has developed a new application that automates a tedious and manual task. The application was recently authorized for use in only the sales department. The finance executive obtains a copy of the new application to gain a similar advantage in his department, without explicit authorization.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Examples of positive risk

Next steps