(ISC)2 Certified in Cybersecurity Practice Exam

What strategy involves changing business practices to eliminate the relevance of a risk?

• A. Risk Reduction
• B. Risk Avoidance
• C. Risk Transfer
• D. Risk Acceptance

The correct answer is: Risk Avoidance

The strategy of risk avoidance involves changing business practices in a way that completely eliminates the risk itself. This means that instead of simply mitigating or reducing the likelihood or impact of a risk, an organization re-evaluates its processes or practices to eliminate any activities that could lead to that risk occurring. For example, if a business identifies that a particular activity exposes them to cybersecurity threats, they might discontinue that activity altogether to avoid the associated risks. This strategy is especially relevant in scenarios where the risk is deemed unacceptable and cannot be sufficiently reduced through other means. By implementing avoidance strategies, organizations can effectively sidestep potential threats entirely, thereby enhancing their overall security posture. In contrast, risk reduction focuses on minimizing the impact or likelihood of a risk rather than eliminating it. Risk transfer involves shifting the risk to another party, such as through insurance or outsourcing, rather than modifying practices to remove the risk. Risk acceptance means acknowledging the risk and deciding to proceed without change, which does not align with the goal of completely eliminating the risk. Therefore, the correct identification of risk avoidance accurately reflects the approach being described in the question.