Mitigation

So you’ve identified a risk — now what do you do about it?

This is the second part of my series on thinking about risk. This’ll make more sense if you’ve read part 1 and understand the terms risk, likelihood, and impact that I discussed there.

Define Mitigation

With that foundation, let’s define mitigation:

Mitigation is taking action to reduce a risk.

Note that I say “reduce” rather than “remove” or “eliminate”. It’s actually quite rare to be able to entirely remove a risk. It’s so great when we can! It’s just super-rare. So I use “reduce” for the implication that when we talk about mitigation we’re talking about partial fixes, not letting the perfect be the enemy of the good.

What follows is a simple framework to help frame discussions about risk mitigation. It’s intentionally very simple, a basic starting point. I’ll present a more complex framework later in this series, but I want to lay more of a foundation before I get there, so we’ll start here.

Mitigation acts on either axis

The basic frame I like for thinking about risk mitigation is to recognize that a given risk mitigation action can act on either axis. That is, when facing a risk, you can take steps to reduce the likelihood:

A chart with likelihood/impact axes, showing a high risk in the upper right. A horizontal arrow across the top indicates reducing likelihood, thus reducing risk.

or you can take steps to reduce the impact:

The same chart, now showing reducing impact as a vertical line on the right.

For example, if we’re on a backpacking trip and facing a difficult river crossing we could:

Use team water crossing techniques to reduce the likelihood that someone goes for an unplanned swim.
Put all of our gear into waterproof bags, reducing the impact of a swim or dropped pack.
Find a shallower place to cross, reducing the likelihood of a fall.
Position rescuers downstream, reducing the impact if someone gets swept down.

This feels basic, but it’s a critical framework to keep in mind for two reasons:

When brainstorming mitigation options, we often get stuck thinking about one axis or another.
In particular, I often find that people get stuck trying to prevent an attack from happening, and thus don’t consider what steps they could take to blunt the impact if it does. Making sure to consider both axes helps us make sure we’re considering all the options.
In many circumstances, the effort required isn’t even across both axes.
Often, risk is a lot easier to mitigation on one axis than the other. Take SQL injection, for example: the steps required to reduce impact (multiple database roles, DLP tooling) are often more difficult and time-consuming than the steps required to reduce the likelihood of a breach (use a web framework!). Considering both axes makes sure that we’re finding the mitigations with the best return on investment.

Defense in depth means applying multiple mitigations along multiple axes

The final observation to fall out of thinking about mitigation in this way is a good working definition of Defense in Depth. You may have heard this term before, and there are many different ways of defining it, but this is my favorite:

The same chart, now with both a reduction in likelihood and a reduction in impact, resulting in low risk.

Defense in Depth is simply the understanding that you can apply multiple mitigations to the same risk, often by applying mitigations to both axes. We can reduce both the likelihood of an incident and its potential impact, thus reducing risk down to acceptable levels.

For example, to return to the river crossing example from above — we don’t have to choose just one of those potential risk mitigation techniques; we could choose all of them! If we cross as a team, waterproof our gear, find a better place to cross, and position rescuers, we can transform a terrifying river crossing into a mild inconvenience.

Recap

To wrap up these first two entries, let’s recap the important terms covered so far:

Risk: Any time an action has a potential for benefit, it also has the potential for loss. That’s risk. Risk decomposes into two factors: likelihood and impact.
Likelihood: How likely is it that some bad thing will happen?
Impact: If that bad thing does happen, how bad would it be?
Mitigation: Any action we take to reduce the likelihood or impact of a risk.
Defense in Depth: Using multiple mitigations, often across both axes, to reduce a risk.

Next up: a grab-bag piece, covering a number of more subtle points and “side quests”. In these first two entries, I’ve deliberately over-simplified and left out important side notes in the interests of not being overwhelming. So this next piece will add them back in, and start to paint a richer and more complex picture.

Stay tuned: you can find all posts in this series here and follow me in various ways. And if you’ve got questions, or topics you’d like to see covered in this series, please get in touch.