What Do We Do with the Risk?

You can deal with risk in several ways, one of which is eliminate, or at least minimize, it. For example, by not placing a web server on the Internet, you eliminate any risk of that nonexistent web server being attacked. (This does not work very well for companies that do want the web server.)

An option for avoiding the web server altogether is to transfer the risk to someone else. For example, instead of hosting your own server on your own network, you could outsource that functionality to a service provider. The service provider could take full responsibility (the risk) for attacks that might be launched against its server and provide a service level agreement and guarantees to the customer. Keep in mind, however, the possibility of risk must be assumed if the outsourcing entity (for example, the service provider) does not adequately eliminate risk effectively.

So, the service provider now has the risk. How does it handle it? It does exactly what you’re learning in this book: It reduces risk by implementing appropriate countermeasures. By applying the correct patches and using the correct firewalls and Internet service providers (ISP) and other safeguards, they reduce their own risk. If risk is purely financial, insurance can be purchased that helps manage the risk. Attacks against networks today are primarily motivated by the desire for financial gain. As mentioned in the previous paragraph, the risk assumed by the service provider is not completely eliminated, which results in residual risk that your organization must understand and accept.

Another option is for a company to put up its own web server and just assume the risk. Unfortunately, if it takes no security precautions or countermeasures against potential threats, the risk could be high enough to damage the company and put it out of business. Most people would agree that this is not acceptable risk.