Certified: The Security+ Prepcast

Understanding risk is one part of the puzzle. The other part is choosing how to respond to it. Every organization faces risk, but not all risks are handled the same way. Risk management strategies allow security teams and business leaders to take control by choosing whether to accept a risk, reduce it, eliminate it, or pass it on. In this episode, we explore four primary risk response strategies: transfer, acceptance, avoidance, and mitigation. These approaches help organizations balance security with operational goals—and they are critical knowledge for the Security Plus exam.
Let’s start with risk transfer. This strategy involves shifting the responsibility for handling the consequences of a risk to a third party. Risk is not eliminated—it is simply assigned to another entity that is better prepared to absorb it. This is commonly done through insurance, outsourcing, or service contracts.
Cyber insurance is a typical example of risk transfer. If a company faces the risk of a data breach, it might purchase insurance that covers legal fees, notification costs, and recovery expenses. The organization still works to prevent breaches, but if one occurs, the financial burden is shared with the insurance provider. Insurance is not a replacement for security—it is a financial safety net that helps manage residual risk.
Another form of transfer is outsourcing. A company might shift the risk of hosting and securing data to a cloud service provider. The provider agrees to certain responsibilities under a contract, such as maintaining system availability or encrypting customer data. If the provider fails, it may be held accountable through penalties, service credits, or legal action. In this way, the organization transfers some risk of infrastructure failure or mismanagement to a vendor with specialized capabilities.
Let’s consider a real-world example. A hospital needs to store and protect patient records but lacks the resources to build and secure its own data center. Instead, it contracts with a compliant, third-party cloud vendor. The vendor provides physical security, encryption, redundancy, and auditing capabilities. While the hospital remains responsible for patient privacy under the law, it reduces its direct exposure by transferring the technical risks to a provider with more expertise and infrastructure.
Next, let’s talk about risk acceptance. Acceptance means recognizing a risk, understanding its potential impact, and choosing not to take further action to reduce it. This decision is made when the cost of mitigating the risk is higher than the potential loss, or when the risk is considered minor. Risk acceptance must be intentional and documented. It is not the same as ignoring a risk.
Accepted risks are often managed with controls such as monitoring, reporting, or exception tracking. Many organizations allow exemptions or exceptions to standard security policies under strict conditions. These are examples of controlled risk acceptance.
For instance, a company might identify a legacy system that poses a moderate risk but is too expensive to replace in the short term. The system is isolated from other networks, closely monitored, and documented in the risk register as an accepted risk. Leadership understands the trade-off and agrees to review the status every quarter. This controlled approach ensures that acceptance is deliberate—not accidental.
Another practical example comes from a university department that uses a software tool not officially supported by the information technology team. The tool poses some security risks, but it is essential for specialized research. The university accepts the risk but requires the department to maintain strong access controls, limit data exposure, and report any issues immediately. A formal exemption is recorded, and the situation is reviewed annually. This is risk acceptance in action, managed through oversight and transparency.
Now let’s shift to risk avoidance. This strategy involves eliminating the risk entirely by changing plans, processes, or behaviors. If the organization avoids the activity that introduces the risk, then the risk does not exist. Risk avoidance is often the best choice when the potential impact is too high to tolerate, or when alternatives are available that carry significantly lower risk.
For example, an organization might decide not to collect certain types of sensitive data to avoid regulatory requirements and the risk of breach. If you do not collect personal health information, you cannot lose it. Similarly, a company might decide not to launch an online payment feature until its infrastructure has been fully hardened. In both cases, the risk is avoided by eliminating the conditions that would make it possible.
Consider this real-world scenario. A government agency is evaluating a plan to allow remote administrative access to sensitive databases. After assessing the potential for abuse or breach, the agency concludes that the risk is too high—even with encryption and multifactor authentication. Instead of moving forward, the agency decides to avoid the risk entirely by disallowing remote access and requiring all sensitive data changes to be performed on-site. This decision is not popular with users, but it reflects a commitment to protecting high-value data.
Finally, we arrive at risk mitigation. This is the most common and proactive strategy. Mitigation means taking action to reduce the likelihood or impact of a risk. The risk still exists—but its severity is lessened through technical, administrative, or physical controls.
Risk mitigation can involve implementing firewalls, encrypting data, segmenting networks, training users, applying patches, or changing operational processes. The key is that mitigation does not eliminate the risk—it reduces it to an acceptable level.
Let’s look at a familiar example. A company identifies a risk of credential theft through phishing. Rather than accepting the risk or avoiding email altogether, the company implements email filters, runs phishing simulations, and rolls out multifactor authentication. These controls do not stop phishing from happening—but they reduce the likelihood of success and limit the damage if it occurs.
Here’s another case. A logistics company uses an older warehouse management system that cannot be upgraded without major disruptions. To mitigate the risk of failure, the company creates redundant backups, tests disaster recovery procedures, restricts system access, and adds monitoring tools to detect anomalies. These mitigation steps reduce the risk of downtime, even though the original system remains in use.
Mitigation is especially powerful because it can be applied to almost any risk. While transfer, avoidance, and acceptance all require specific conditions, mitigation is flexible. It allows organizations to take responsibility for their risks and manage them actively. However, it does require resources, planning, and follow-through.
For the Security Plus exam, you will need to recognize all four strategies—transfer, acceptance, avoidance, and mitigation—and apply them correctly to different scenarios. Pay close attention to the keywords in the question. If you see references to contracts, insurance, or third parties, think transfer. If the risk is acknowledged but no control is applied, it may be acceptance. If the plan is changed to prevent the risk entirely, it is avoidance. And if technical or procedural controls are added to reduce risk, it is mitigation.
Here is a quick exam tip. Think about the action being taken. Are they changing plans to prevent the risk from existing? That’s avoidance. Are they reducing exposure with tools or policies? That’s mitigation. Are they shifting responsibility? That’s transfer. Are they doing nothing now but monitoring or documenting the risk? That’s acceptance. These distinctions are the key to answering strategy questions with confidence.
If you would like templates for documenting risk acceptance decisions, examples of vendor risk transfer language, or worksheets to plan mitigation actions, visit us at Bare Metal Cyber dot com. And if you want the most effective Security Plus prep guide available, filled with real-world scenarios, practice questions, and focused explanations, visit Cyber Author dot me and pick up your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success.