So once we find a vulnerability and a threat, calculate their probability and impact, what comes next? The risk needs to be addressed.
Risk is handled in different ways:
- Risk acceptance: The organization accepts the vulnerability and the possible threat as is
- Risk avoidance: The organization removes any exposure to the threat
- Risk remediation: The organization fixes the vulnerability so that it cannot be exploited
- Risk mitigation: The organization lessens the likelihood of exploitation by putting compensating controls in place
- Risk transference: The organization transfers the risk to another party so that if the vulnerability is exploited, the other organization incurs the cost