You are the owner of the courier company SpeeDelivery. You have carried out a risk analysis and now want to determine your risk strategy. You decide to take measures for the large risks but not for the small risks. What is this risk strategy called?

A.
Risk bearing

B.
Risk avoiding

C.
Risk neutral

Explanation:
Risk bearing, means that certain risks are accepted. This could be because the costs of the security measures exceed the possible damage. But it could also be that the management decides to do nothing even if the costs are not higher than the possible damage. The measures that a risk bearing organization takes in the area of information security are usually of a repressive nature.
Risk neutral means that security measures are taken such that the threats either no longer manifest themselves or, if they do, the resulting damage is minimized. The majority of measures taken in the area of information security by a risk neutral organization are a combination of preventive, detective and repressive measures.
Risk avoidance means that measures are taken so that the threat is neutralized to such an extent that it no longer leads to an incident.