Organizations spend a great deal of time and money protecting their information resources. To figure out what needs to be protected and how they are going to protect it, they need to perform risk management. What is the goal of risk management? List and describe the three processes of risk management. How can organizations mitigate risk? Describe a company that has adopted each risk mitigation strategy.

goal = identify, control, and minimize the impact of threats; processes = analysis (with three steps: assess value of assets, estimate probability of attack, compare costs of protecting versus not protecting), mitigation (three types as noted next), and controls evaluation (cost versus benefit); mitigate = acceptance (no controls, absorb damage), limitation (try to minimize threat), transference (get insurance); examples: acceptance = Democratic National Committee, limitation (Target installed FireEye software; although they didn't implement all the functionality), transference (see Travelers Insurance options)