So once we find a vulnerability and a threat, calculate their probability and impact, what comes next? The risk needs to be addressed.

Risk is handled in different ways:

• Risk acceptance: The organization accepts the vulnerability and the possible threat as is
• Risk avoidance: The organization removes any exposure to the threat
• Risk remediation: The organization fixes the vulnerability so that it cannot be exploited
• Risk mitigation: The organization lessens the likelihood of exploitation by putting compensating controls in place
• Risk transference: The organization transfers the risk to another party so that if the vulnerability is exploited, the other organization incurs the cost