Of the multiple methods of handling risks which we must undertake to carry out business operations, which one
involves using controls to reduce the risk?

A.
Mitigation

B.
Avoidance

C.
Acceptance

D.
Transference

Explanation:
Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting
business. The implementation of firewalls, training, and intrusion/detection protection systems or other control
types represent types of risk mitigation efforts.
Incorrect Answers:
B: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an
application deemed to be a risk. This is not the process of reducing risk by implementing controls.
C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential
cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process
of reducing risk by implementing controls.
D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This
would transfer the risk to the insurance company. This is not the process of reducing risk by implementing
controls.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98