2.3.3. Risk Response and Treatment Strategies

💡 First Principle: After risk analysis quantifies what you're dealing with, risk response makes the decision: how much of this risk will we carry, and what do we do about the rest? These decisions belong to business management — the security team informs them; it doesn't make them.

The four responses — reviewed in Section 1.4.2 — have important operational nuances at the Domain 1 level:

Risk Avoidance in practice often means not deploying a technology, not entering a market, or not processing a category of data. Example: deciding not to accept cryptocurrency payments eliminates the fraud and regulatory risk associated with cryptocurrency processing. The business trade-off is lost revenue opportunity vs. avoided risk.

Risk Mitigation is most of what security teams do. Key principle: mitigation never reduces risk to zero. Every control has limits. The residual risk after mitigation must still be formally accepted by management. Mitigation options include: technical controls (encryption, access control), administrative controls (policies, training), and physical controls (locks, guards).

Risk Transfer mechanisms:

• Cyber insurance — transfers financial impact of breach costs, regulatory fines, notification expenses, PR costs, business interruption losses. Does NOT transfer accountability or prevent the breach.
• Contracts and SLAs — transfers liability for specific failure scenarios to vendors. A vendor who breaches a contractual security obligation bears financial liability — but your organization still owns the data and the regulatory exposure.
• Outsourcing — transfers operational risk of running a specific function, but not accountability for outcomes. A healthcare organization that outsources medical billing to a Business Associate is still responsible under HIPAA if that BA has a breach.

Risk Acceptance requires:

1. Formal risk assessment documenting the risk
2. Explicit written acceptance by the appropriate management authority (size of risk determines seniority required)
3. Defined review period (risk environment changes; accepted risk may need re-evaluation)
4. Monitoring plan to detect changes in risk level

💡 Key Point: The CISSP exam will test the difference between "risk acceptance" (formal, documented, management decision) and "risk ignorance" (the organization hasn't evaluated the risk and is unaware of it). Only the former is a legitimate risk response. The latter is a governance failure and potential negligence.

⚠️ Exam Trap: Cybersecurity insurance (risk transfer) is increasingly tested as a modern risk management tool. Key limitations: policies have exclusions (state-sponsored attacks, pre-existing conditions, failure to meet basic security hygiene requirements); insurers now require security audits before issuing policies; premiums reflect your security posture. Insurance is a complement to controls, not a substitute.

Reflection Question: A regional bank accepts the risk of running an unpatched legacy mainframe system because upgrading would cost $10M and the risk assessment suggests the risk is low. Six months later, a breach occurs through the unpatched vulnerability. The board's legal counsel asks: "Was the risk formally accepted by the appropriate authority?" Why does the answer to this question matter legally and from a governance standpoint?