How many controls do we need to reduce risk?

When we've identified a risk to our design or user process - and that risk can pose a potential harm - how many controls do we need to add?

We discuss prevention vs. detection controls, ALARP, as low as possible, and some scenarios where we could (and maybe couldn't) justify a risk as acceptable without adding additional controls.

ALARP = As Low As Reasonably Practicable

One reason we could easily justify accepting of risk as ALARP is if the controls we think to put in place don’t actually reduce additional risk. Another is that adding another risk control is not possible. We talk about examples of these in the podcast.

What is the reason that might not be justifiable to using ALARP? “We didn’t think to design it that way and we’re too far down the design path.” Implementing a control might add time, money and cost to the project. Would this reason be justifiable to release a product with risk?

Our original question was how many controls do we need to put into place? And my answer to that is, “It depends.” If we’re willing to accept the risk to a user (or environment, use-process, property...) we need to be clear about our reasons and justify our decisions of why we think we have adequate controls.