This chapter covers the four primary risk treatment options recognized by the SY0-701 exam: accept, avoid, transfer, and mitigate. Understanding when and how to apply each is critical for the Security Program Management domain, especially for scenario-based questions. This chapter maps to Objective 5.2: Explain the importance of risk management processes and concepts. You will learn the precise definitions, real-world applications, and common exam traps for each treatment strategy.
Jump to a section
Think of risk treatment like managing the financial impact of a car accident. You have four choices. You can accept the risk by self-insuring — you set aside $5,000 in a savings account for minor fender benders. You avoid the risk by never driving — you take the bus everywhere. You transfer the risk by buying insurance — you pay a premium to an insurance company, and if you crash, they pay for repairs (minus deductible). You mitigate the risk by installing anti-lock brakes and taking a defensive driving course to reduce the chance of an accident. In cybersecurity, the same logic applies: you can accept the residual risk (budget for potential loss), avoid the risk by not using a vulnerable technology, transfer the risk by purchasing cyber insurance, or mitigate by implementing controls like firewalls and encryption. The key is that each option has a cost and a residual risk. Insurance doesn't prevent the accident; it just pays for the damage. Similarly, cyber insurance doesn't stop a breach; it covers the financial fallout. Mitigation reduces likelihood or impact but doesn't eliminate it. Avoidance means you don't engage in the risky activity at all, which may not be possible if the activity is core to business operations.
What Are Risk Treatment Options?
Risk treatment is the process of selecting and implementing measures to modify risk. According to NIST SP 800-30, risk treatment options include acceptance, avoidance, transfer, and mitigation. The goal is to bring residual risk within the organization's risk appetite. SY0-701 expects you to distinguish between these four options and select the appropriate one based on scenario details.
Risk acceptance means acknowledging the risk and choosing to take no further action beyond existing controls. This is not ignorance; it's a deliberate decision after cost-benefit analysis. Organizations accept risk when the cost of mitigation exceeds the potential loss, or when the risk is within the risk appetite. For example, a small business might accept the risk of a minor data breach from a low-value legacy system because upgrading would cost more than the expected loss. Acceptance must be documented and approved by management. It often applies to low-likelihood, low-impact risks. The residual risk is retained.
Risk avoidance means eliminating the risk by discontinuing the activity that creates it. For example, if a company determines that using a third-party cloud service introduces unacceptable risk, it may decide to avoid that risk by not using the service at all. Avoidance can also mean choosing a different technology or process. However, avoidance can hinder business objectives. The exam tests that avoidance is the most absolute treatment — it removes the risk entirely but may not be feasible.
Risk transfer shifts the financial impact of a risk to another party, typically through insurance or contracts. For example, a company purchases cyber liability insurance to cover costs from a data breach. Another common method is outsourcing certain operations to a vendor who assumes the risk. Note that transfer does not eliminate the risk; it only shifts the financial burden. The organization still has reputational and operational consequences. SY0-701 emphasizes that risk is transferred, not the responsibility — the organization remains accountable for compliance.
Risk mitigation (also called risk reduction) involves implementing controls to reduce the likelihood or impact of a risk. This is the most common treatment. Mitigation can be preventive (e.g., firewalls), detective (e.g., IDS), or corrective (e.g., backups). The goal is to bring the risk to an acceptable level. Mitigation always leaves some residual risk. The exam often presents scenarios where you must choose mitigation over other options because it's the most practical.
How to Choose the Right Option
Risk treatment selection depends on the risk level (likelihood and impact), cost of treatment, and risk appetite. A common decision framework:
If risk is high and can be eliminated without major business impact → Avoid.
If risk is high but can be transferred cost-effectively → Transfer.
If risk is moderate and controls are cost-effective → Mitigate.
If risk is low or cost of treatment exceeds benefit → Accept.
SY0-701 scenario questions often describe a specific situation with cost figures. For example: "A vulnerability has a 10% chance of occurrence with a $100,000 impact. The control costs $50,000. What is the best treatment?" The answer would be mitigate because $50,000 < $100,000. If the control cost $200,000, acceptance might be better.
Residual vs. Inherent Risk
Inherent risk is the risk before any controls are applied. Residual risk is the risk after controls. Risk treatment aims to reduce residual risk to an acceptable level. The exam may ask about the difference. For example, after implementing encryption (mitigation), the residual risk of data theft is lower but not zero.
Real-World Example: Equifax Breach
Equifax suffered a massive breach due to an unpatched vulnerability (Apache Struts CVE-2017-5638). The company had not mitigated by patching. After the breach, Equifax accepted significant financial and reputational damage. A better approach would have been mitigation (patching) or transfer (cyber insurance). The exam uses such high-profile cases to illustrate the consequences of poor risk treatment.
Command/Tool Examples
While risk treatment is a management process, tools like risk registers are used. Example entries:
Risk ID: R-001
Description: Unpatched web server
Likelihood: High
Impact: Critical
Inherent Risk: High
Treatment: Mitigate
Control: Patch management policy
Residual Risk: LowAnother example using a quantitative risk analysis formula:
SLE (Single Loss Expectancy) = AV (Asset Value) x EF (Exposure Factor)
ALE (Annualized Loss Expectancy) = SLE x ARO (Annualized Rate of Occurrence)If ALE is $50,000 and control cost is $20,000, mitigation is justified. If control cost is $60,000, acceptance might be chosen.
Key Standards
NIST SP 800-30: Guide for Conducting Risk Assessments
ISO 31000: Risk Management Principles and Guidelines
FAIR (Factor Analysis of Information Risk): Quantitative risk analysis model
SY0-701 may reference these standards in questions about risk management processes.
Identify and Assess the Risk
First, perform a risk assessment to identify threats, vulnerabilities, and potential impacts. Use qualitative or quantitative methods. For example, a vulnerability scanner might find a critical SQL injection flaw. The risk is rated as high likelihood and high impact. Document the inherent risk in a risk register. This step determines the baseline before treatment.
Evaluate Treatment Options
For each identified risk, evaluate the four treatment options: accept, avoid, transfer, mitigate. Consider cost, feasibility, and alignment with risk appetite. For the SQL injection flaw, mitigation (input validation and patching) is likely the best option. Avoidance would mean taking the web app offline, which may not be acceptable. Transfer could involve cyber insurance, but that doesn't fix the vulnerability. Acceptance would be irresponsible for a critical risk.
Select and Implement Treatment
Choose the most appropriate treatment and implement it. For mitigation, deploy a web application firewall (WAF) and patch the code. Update the risk register with the selected treatment and residual risk level. For transfer, purchase a cyber insurance policy. For avoidance, decommission the vulnerable system. For acceptance, document the decision and monitor the risk.
Monitor and Review
Continuously monitor the effectiveness of the treatment. Residual risk may change over time. For example, a patched vulnerability may be re-exploited if a new variant emerges. Reassess periodically and adjust treatment if needed. The risk register should be updated with review dates and findings. This step ensures that risk treatment remains appropriate.
Document and Report
Document all risk treatment decisions in the risk register. Include rationale, residual risk, and approval by management. Report to stakeholders, such as the board of directors, on the organization's risk posture. This documentation is crucial for audits and compliance. The exam may ask about the importance of documenting risk acceptance decisions.
Scenario 1: Small Business with Limited Budget
A small retail company has a legacy payment system that is vulnerable to card skimming. The cost to upgrade is $50,000, but the expected annual loss from a breach is $10,000. The business owner decides to accept the risk because the cost of mitigation exceeds the potential loss. The risk is documented, and the owner sets aside $10,000 as a contingency. A common mistake would be to assume acceptance means doing nothing — but proper acceptance requires documentation and acknowledgment of residual risk.
Scenario 2: Healthcare Provider and PHI
A hospital uses a third-party cloud service for storing patient records. The cloud provider has a history of breaches. The hospital decides to transfer the risk by requiring the provider to sign a contract that indemnifies the hospital for any breach costs. Additionally, the hospital purchases cyber insurance. However, the hospital still has responsibility under HIPAA — transfer does not absolve them of compliance. An analyst reviewing the contract would ensure that the provider's security controls meet HIPAA requirements. A common mistake is thinking transfer removes all risk; the hospital still faces reputational damage.
Scenario 3: Financial Institution and Remote Access
A bank discovers that allowing employees to use personal devices for remote access introduces a high risk of data exfiltration. The bank decides to avoid the risk by prohibiting personal device use and issuing company-managed laptops with full disk encryption and MDM. This eliminates the risk entirely. The SOC would see no more personal devices connecting. A mistake would be to mitigate with just a VPN, which doesn't control the endpoint. Avoidance is appropriate when the risk is unacceptable and the activity is not essential.
Scenario 4: E-commerce Site and DDoS
An online retailer faces frequent DDoS attacks. The company mitigates by using a CDN with DDoS protection (e.g., Cloudflare). The residual risk is low. The SOC would see attack traffic being filtered. A common mistake is to accept the risk and hope for the best, which could lead to extended downtime. Mitigation is justified because the cost of protection is lower than the revenue loss per hour of downtime.
What SY0-701 Tests
Objective 5.2 expects you to explain risk management processes, including risk treatment options. Specifically, you must:
Differentiate between accept, avoid, transfer, and mitigate.
Identify the appropriate treatment based on a scenario (cost, feasibility, risk level).
Understand residual vs. inherent risk.
Recognize that risk transfer does not eliminate risk.
Know that risk acceptance requires management approval and documentation.
Common Wrong Answers
Choosing 'transfer' when the scenario mentions insurance but also includes a control that reduces risk. Candidates often pick transfer because they see 'insurance,' but if the question also mentions implementing security controls, the correct answer is 'mitigate.' Insurance alone is transfer, but if the company also patches, it's mitigation.
Selecting 'avoid' when the scenario describes discontinuing a risky activity but the activity is critical. Avoidance is only correct if the activity can be stopped without major business impact. If the scenario says 'the company cannot stop using the service,' then avoid is wrong.
Confusing 'accept' with 'ignore.' Acceptance is a deliberate decision with documentation. If the scenario says 'the company decides to take no action and does not document it,' that is not acceptance — it's negligence.
Key Terms
Inherent risk: Risk before controls.
Residual risk: Risk after controls.
Risk appetite: Amount of risk the organization is willing to accept.
Risk register: Document that records risks and treatment.
SLE, ARO, ALE: Quantitative risk analysis terms.
Trick Questions
A question may describe a company that 'purchases cyber insurance and implements a firewall.' The treatment is mitigation (firewall), not transfer (insurance). The exam wants to see which treatment is the primary one.
A scenario may say 'the company decides to stop using a vulnerable software.' That's avoidance, not mitigation.
'The company accepts the risk because the cost of mitigation is higher than the potential loss.' That is correct acceptance.
Decision Rule
When reading a scenario, identify the key action:
If the action removes the risk entirely (stop using, discontinue) → Avoid.
If the action reduces risk (patch, firewall, training) → Mitigate.
If the action shifts financial burden (insurance, outsourcing) → Transfer.
If the action is 'no action' after documented approval → Accept.
If multiple actions are present, the primary one that changes the risk level determines the answer.
Risk treatment options: Accept, Avoid, Transfer, Mitigate (AATM).
Acceptance requires documented approval by management; it is not ignorance.
Avoidance eliminates risk by discontinuing the risky activity.
Transfer shifts financial impact (e.g., cyber insurance) but not responsibility.
Mitigation reduces risk via controls; residual risk remains.
Inherent risk is before controls; residual risk is after controls.
Quantitative risk analysis uses SLE, ARO, and ALE formulas.
NIST SP 800-30 and ISO 31000 are key risk management standards.
Risk appetite defines how much risk the organization is willing to accept.
Risk treatment is an ongoing process, not a one-time decision.
These come up on the exam all the time. Here's how to tell them apart.
Risk Acceptance
No new controls implemented
Residual risk equals inherent risk
Used when cost of mitigation > potential loss
Requires formal documentation and approval
Risk remains unchanged
Risk Mitigation
New controls implemented to reduce risk
Residual risk is lower than inherent risk
Used when cost of mitigation < potential loss
Controls can be preventive, detective, corrective
Risk is reduced but not eliminated
Risk Transfer
Shifts financial burden to another party
Risk still exists for the organization
Examples: insurance, outsourcing
Does not reduce likelihood or impact
Organization retains accountability
Risk Avoidance
Eliminates the risk entirely
Risk is removed by discontinuing activity
Examples: not using a vulnerable technology
May hinder business objectives
No residual risk from that activity
Mistake
Risk transfer means you no longer have to worry about the risk.
Correct
Transfer only shifts the financial impact. The organization still has legal, regulatory, and reputational responsibilities. For example, even with cyber insurance, you must still notify affected customers and comply with breach notification laws.
Mistake
Risk acceptance means doing nothing at all.
Correct
Acceptance requires a formal, documented decision by management that the risk is within risk appetite. It is not ignorance. The risk should be monitored and reassessed periodically.
Mistake
Risk avoidance is always the best option.
Correct
Avoidance can be impractical if the risky activity is essential to business operations. For example, an online retailer cannot avoid using the internet. Avoidance should be used only when the risk outweighs the benefit and a suitable alternative exists.
Mistake
Mitigation eliminates the risk completely.
Correct
Mitigation reduces risk to an acceptable level but never eliminates it entirely. There is always residual risk. For example, even with a firewall, some sophisticated attacks may bypass it.
Mistake
Risk treatment is a one-time activity.
Correct
Risk treatment is an ongoing process. Risks evolve, and controls may become ineffective. Regular reviews and updates are necessary. NIST SP 800-30 emphasizes continuous monitoring.
Risk acceptance means no controls are added; the organization acknowledges the risk and bears the potential loss. Risk mitigation involves implementing controls to reduce the likelihood or impact. Acceptance is chosen when the cost of mitigation exceeds the potential loss, while mitigation is chosen when controls are cost-effective. For example, accepting a $1,000 risk because a control costs $2,000 versus mitigating a $100,000 risk with a $50,000 control.
Choose avoidance when the risk is too high and the activity can be eliminated without significant business impact. For example, if a company discovers that using a certain cloud provider introduces unacceptable risk, and the service is not critical, they can avoid by switching to a different provider. Avoidance is the most absolute treatment but may not be feasible for core business functions.
No. Cyber insurance transfers the financial risk but does not eliminate the operational, reputational, or compliance risks. The organization is still responsible for breach notification, customer trust, and regulatory fines. Insurance only covers certain costs, and policies have exclusions. For example, if a breach results from a known vulnerability that wasn't patched, the insurer may deny coverage.
Residual risk is the risk that remains after controls are implemented. It is calculated by subtracting the effectiveness of controls from the inherent risk. For example, if inherent risk is high and controls reduce it by 70%, residual risk is moderate. Residual risk must be within the organization's risk appetite. If not, additional controls or other treatments are needed.
A risk register documents identified risks, their likelihood, impact, inherent risk level, chosen treatment, controls, residual risk, and status. It is used for tracking and reporting. For example, a risk register entry might show: 'Risk: Unpatched server; Treatment: Mitigate (patch); Residual Risk: Low; Owner: IT Manager.' The register is a key tool for risk management and audit.
Risk appetite is the amount of risk an organization is willing to accept. If the risk is within appetite, acceptance may be appropriate. If it exceeds appetite, mitigation, transfer, or avoidance is needed. For example, a bank with low risk appetite would mitigate or avoid high risks, while a startup might accept more risk to achieve growth.
Inherent risk is the level of risk before any controls are applied. Residual risk is the level after controls. For example, a web server without a firewall has high inherent risk. After installing a firewall, the residual risk is lower. The goal of risk treatment is to reduce residual risk to an acceptable level.
You've just covered Risk Treatment — Accept, Avoid, Transfer, Mitigate — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?