5.2 Risk management
📘CompTIA Security+ (SY0-701)
When managing cybersecurity risks, organizations decide how to handle each risk they identify. There are four main strategies:
- Transfer
- Accept (Exemption/Exception)
- Avoid
- Mitigate
Let’s go through each one.
1. Transfer
Definition:
Transferring a risk means moving the responsibility for the risk to another party. You don’t eliminate the risk; you shift the financial or operational burden elsewhere.
IT-focused examples:
- Cyber insurance: If your organization purchases a cyber insurance policy, the insurer takes on some of the financial loss if a cyberattack happens.
- Cloud service agreements: Using a cloud provider means that some risks (like hardware failure or basic server security) are transferred to the provider.
Key exam points:
- You still need to know the risk exists.
- You transfer responsibility, not the risk itself.
- Often used when the cost of fully mitigating the risk is too high.
2. Accept (Exemption/Exception)
Definition:
Accepting a risk means consciously deciding not to take action against it. This is usually done when the cost of mitigating the risk is higher than the potential damage.
IT-focused examples:
- Legacy systems: An old server might be vulnerable to attacks, but upgrading it could be expensive. The organization decides to monitor it and accept the risk.
- Low-impact threats: If a phishing email has a very low chance of success, an organization might choose to accept the small risk rather than spend a lot on prevention.
Key exam points:
- Sometimes called risk acceptance.
- Often documented with an exemption or exception form.
- Usually applied to low-probability, low-impact risks.
3. Avoid
Definition:
Avoiding a risk means taking actions to completely eliminate the possibility of the risk occurring. If the risk cannot exist, there’s nothing to manage.
IT-focused examples:
- Disabling unused services: If a system service is not required, turning it off avoids potential exploitation of that service.
- Not storing sensitive data: If storing sensitive customer information increases risk and the business can operate without it, avoiding the risk by not storing it is an option.
Key exam points:
- Avoidance is proactive.
- It eliminates the risk entirely rather than reducing its impact.
- Sometimes it requires changing processes or decisions entirely.
4. Mitigate
Definition:
Mitigating a risk means reducing its likelihood or impact. The risk still exists, but controls are put in place to minimize harm.
IT-focused examples:
- Firewalls and antivirus software: Reduce the impact of malware infections.
- Multi-factor authentication (MFA): Reduces the likelihood of unauthorized account access.
- Regular patching: Reduces the chance of vulnerabilities being exploited.
Key exam points:
- Mitigation reduces risk, it doesn’t eliminate it.
- Often involves technical controls or policies/procedures.
- Common in IT because total avoidance or transfer is not always possible.
Quick Comparison Table
| Strategy | What it does | Example in IT Environment |
|---|---|---|
| Transfer | Shift risk to another party | Cyber insurance, cloud provider responsibility |
| Accept | Do nothing / accept the risk | Low-impact legacy system, low-risk phishing threats |
| Avoid | Eliminate the risk entirely | Disabling unused services, not storing sensitive data |
| Mitigate | Reduce likelihood or impact | Firewalls, MFA, patching, anti-virus software |
Tips for the Exam
- Remember: Transfer ≠Remove – you are just shifting responsibility.
- Acceptance is a conscious decision and should be documented.
- Avoidance completely eliminates the risk, but sometimes it is not practical.
- Mitigation is the most common strategy in IT.
