In the organization where you work, information of a very sensitive nature is processed. Management is legally obliged to implement the highest-level security measures. What is this kind of risk strategy called?

A.
Risk bearing

B.
Risk avoiding

C.
Risk neutral

Explanation:
Risk bearing, means that certain risks are accepted. This could be because the costs of the security measures exceed the possible damage. But it could also be that the management decides to do nothing even if the costs are not higher than the possible damage. The measures that a risk bearing organization takes in the area of information security are usually of a repressive nature.
Risk neutral means that security measures are taken such that the threats either no longer manifest themselves or, if they do, the resulting damage is minimized. The majority of measures taken in the area of information security by a risk neutral organization are a combination of preventive, detective and repressive measures.
Risk avoidance means that measures are taken so that the threat is neutralized to such an extent that it no longer leads to an incident. Consider, for example, the software patches for an operating system. By patching the OS immediately after the patches are available, you are preventing your system against known technical problems or security issues. Many of the countermeasures within this strategy have a preventive character.