1.4.2. Risk Response Options
💡 First Principle: Once risk is identified and measured, an organization has exactly four options: stop doing the thing that creates the risk (avoid), reduce the likelihood or impact (mitigate), pay someone else to absorb the financial loss (transfer), or accept that the remaining risk is within tolerance (accept). Every risk decision is one of these four — confusion about which option was chosen creates accountability gaps.
The choice of response depends on: cost of the control vs. magnitude of the risk, organizational risk tolerance, legal and regulatory requirements, and operational feasibility.
Key distinctions:
Avoid removes the risk by eliminating the activity or asset. An organization decides not to store Social Security Numbers (avoids breach exposure for that data). This is only possible when the activity isn't essential.
Mitigate reduces the risk to an acceptable level through controls. Most security spending is mitigation — firewalls, encryption, access controls all reduce likelihood or impact. Mitigation never eliminates risk; it creates residual risk that must still be addressed.
Transfer shifts the financial consequences to a third party. Cyber insurance doesn't prevent breaches — it pays the costs after they occur. Outsourcing doesn't eliminate liability — the organization remains accountable for data it controls.
Accept documents that residual risk is within tolerance and no further controls are cost-justified. Accepting risk isn't ignoring risk — it requires explicit management sign-off, documentation, and a monitoring plan.
⚠️ Exam Trap — Critical: The four CISSP risk response options are avoid, mitigate, transfer, and accept. You will also see "reduce," "reject," "assign," and "ignore" in answer choices. "Reduce" = mitigate, "assign" = transfer — these are acceptable synonyms. "Reject" and "ignore" are NOT valid risk responses and are almost always wrong answers.
Reflection Question: Your organization uses a third-party SaaS provider to process payroll data. A security audit reveals the provider has poor security controls. Your organization buys cyber insurance. Has the risk been transferred? What risk remains, and who is accountable for it?
