A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:
Avoidance is the decision to stop the risky activity.
Why this answer
Decommissioning the legacy system and migrating to a modern platform eliminates the risk entirely by removing the vulnerable asset from the environment. This is the definition of risk avoidance, as the organization chooses not to engage with the risk at all rather than reducing or transferring it. The decision directly addresses the high risk of failure and lack of vendor support by removing the system from operation.
Exam trap
The trap here is that candidates often confuse risk avoidance with risk mitigation, mistakenly thinking that any proactive action (like migrating) is a form of mitigation, whereas avoidance specifically means ceasing the activity that generates the risk.
How to eliminate wrong answers
Option B is wrong because risk transfer would involve shifting the financial impact of failure to a third party (e.g., purchasing cyber insurance or outsourcing to a managed service provider), not removing the system. Option C is wrong because risk mitigation would involve implementing controls to reduce the likelihood or impact of failure (e.g., adding monitoring, applying patches, or isolating the system) while keeping it operational. Option D is wrong because risk acceptance means formally acknowledging the risk and its potential consequences without taking action, which contradicts the active decision to decommission and migrate.