John is the product manager for an information system. His product has undergone under security review by an
IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an
IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS
auditor?

A.
Risk Mitigation

B.
Risk Acceptance

C.
Risk Avoidance

D.
Risk transfer

Explanation:
Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting
business. The implementation of firewalls, training, and intrusion/detection protection systems or other control
types represent types of risk mitigation efforts.
Incorrect Answers:
B: C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential
cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process
of reducing risk by implementing controls.
C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an
application deemed to be a risk. This is not the process of reducing risk by implementing controls.
D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This
would transfer the risk to the insurance company. This is not the process of reducing risk by implementing
controls.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98