Risk exists when a threat can exploit a vulnerability to harm an asset. Assets include data, physical property, intellectual property, reputation, and digital infrastructure. Risk assessment weighs two factors: the likelihood that a vulnerability will be exploited and the severity of the resulting damage. Likelihood depends on target value, exploit difficulty, and adversary motivation. Once assessed, organizations choose one of four responses: avoid the risky activity, transfer the risk to an insurer or third party, mitigate it with security controls, or accept the residual risk that remains after other strategies are applied. Security controls are classified by what they protect (CIA triad: confidentiality, integrity, availability) and by type: physical controls like locks and cameras, technical controls like firewalls and encryption, and managerial controls like policies and training. Defense in depth layers all three types so no single failure exposes the whole system.
- CIA triad: Confidentiality (only authorized access), integrity (data is accurate and unaltered), and availability (systems are accessible when needed).
- Risk mitigation: Implementing security controls to reduce the likelihood or impact of a risk.
- Residual risk: The risk that remains after avoidance, transference, and mitigation have been applied; the level an organization accepts.
- Defense in depth: A layered security strategy using multiple control types so that bypassing one layer does not expose the entire system.
- Managerial control: Policies, procedures, and training that govern how people behave to support security, such as an acceptable use policy.
Given a scenario, can you identify the asset, the threat, and the vulnerability? Can you recommend whether to avoid, transfer, mitigate, or accept a described risk and justify your choice?
| Risk Response | What It Does | When It Applies |
|---|
| Avoid | Stops the risky activity entirely | Activity is not essential to the mission |
| Transfer | Shifts financial burden to insurer or third party | Risk cannot be eliminated but cost can be shared |
| Mitigate | Adds controls to reduce likelihood or impact | Activity must continue; controls are feasible |
| Accept | Acknowledges residual risk without further action | Remaining risk is within tolerable limits |