Risk avoidance is practiced when other alternatives are unacceptable, and usually results in not pursuing business opportunities. Most business people have good reasons for wanting to do the business activities they plan and if information technology becomes a barrier to doing business, the security risks must often be taken just as the financial risks associated with the venture must be taken if success is to be achieved. But risk avoidance is also practiced by many businesses when they have a clear understanding of risks and those risks are truly high.
Risk acceptance is the most common mode of operation today and it results in the staggering losses we see in the marketplace. When risk management is not properly carried out, residual risk is accepted by default. When proper risk management is undertaken, residual risk is quantified and understood by the decision makers and accepted in a rational decision.
Risk transfer typically involves insurance of some sort, but risk is indirectly transferred to shareholders when a risk is accepted, and risk can often be contractually transferred. Contractually transferred risk is a very touchy thing because most companies are hesitant to sue over contractual lapses, suits take a long time, there are limits as to what can be really transferred. Reputation risks don't transfer in any circumstance and thus form a residual risk associated with any risk transfer. Risk transfer is necessary whenever outsourcing anything with substantial consequence, and this is one of the reasons to seriously consider these issues when outsourcing.
Risk mitigation typically involves the implementation of a variety of safeguards intended to reduce risk while leaving an acceptable or transferable residual risk. The form of risk mitigation to be taken is a very complex issue. Many of the security decisions included in this book and most of the time and effort spent in technical information protection deals with risk mitigation issues.
Risk management is at the discretion of top management, however, reasonable and prudent top management often makes selections based on the criteria provided here.
A more complex analysis can be done by weighting acceptability, transferability, and reducibility, and applying metrics, but the cases where such analysis is helpful are quite rare.