Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and continuous sustainment of those controls is critical, but it is not sufficient.
There are additional ways of reducing risk, much been written on this that is dry/academic. I like to think of these more simply and practically, specifically : inherent risk reduction (risk avoidance), threat neutralization, and risk transference. Let’s take each in turn.
Inherent Risk Reduction
Avoiding risk by adjusting your reality. One of the, often forgotten, defender’s advantage is that in many circumstances we control the landscape and we can adjust it in our favor. There are many examples of this:
Data minimization (eliminating data, not keeping data, anonymizing). It can be surprising how business processes/supply chains can continue to work when certain data fields are removed - and how much data propagation happens without intent in lazy table propagation.
Attack surface reduction (reducing how much of a digital environment you present to adversaries).
Service heterogeneity and moving target defenses (trade-offs here of course, as some inherent risk reduction here can spike other risks).
Service dependency isolation.
Threat Neutralization (where threat in this context is broader than “attackers”)
Neutralize or deter threats by a range of organization, but mostly system-wide, activities from legal and regulatory actions, societal norms, behavioral cues, education and deterrence. There are tomes on deterrence, but for me it simply comes down to imposing actual or perceived costs & adjusting the economics of attackers through penalty (consequences), futility (expense without reward), dependency (self-damaging), counter-productivity (self-defeating).
Risk transference
In a world of Risk = Hazard + Outrage I don’t often see transference working as anything other than a method of recouping costs and off-setting certain types of loss absorbing capital. In many cases what is labeled as risk transference is simply shifting obligations, but the risk (accountability and liability) often remains. Through the lens of transfer it seems there is a “Conversation of Risk” law in place where risk is simply transformed, not reduced.
Finally, it’s worth talking about the other risk management strategy of risk acceptance. There is always some residual risk, if not then you’re not looking hard enough. Some residual risk you won’t accept & will work hard to fix, but some you’ll want or need to live with.
Residual risk should be within the defined risk appetite of the organization expressed quantitatively and qualitatively of which a key component is deciding who at what level of the organization can accept it. But, accepting risk is simply the beginning of that journey.
The 2 things most neglected in this are: developing a response plan should that risk actually be realized and, most importantly deciding what triggers the revalidation of the risk acceptance. The most common trigger is time e.g. review and (re-)accept risk every 6 months.
But there are more valuable triggers that change a stance on risk acceptance e.g. inherent risk increases, change in threat landscape, legislative/regulatory changes, increase in risk events outside or close-calls inside that call into question your likelihood ratings.
Bottom line: don’t just focus on controls to reduce risk, think about inherent risk reduction (risk avoidance) and threat neutralization as important coupled tactics. Regularly review accepted residual risk that remains using multiple triggers not just time.