Accepting the risk

Avoiding the risk

Purchasing cyber security insurance

Implementing a new security policy

The risk is transferred to another party

The risk is mitigated

The risk is completely avoided

The company decides to live with the risk

To comply with government regulations

Because a policy cannot be followed due to technical constraints

To avoid purchasing new equipment

To reduce operational costs

To avoid updating any software

To ensure all devices are patched immediately

To increase the frequency of patches

To allow time for software updates to be compatible with patches

Transferring the risk to another party

Completely removing the risk from the organization

Reducing the impact of a risk

Accepting the risk as it is

By accepting all internet-related risks

By avoiding all internet usage

By using a Next Generation firewall

By transferring the risk to another company

To avoid risks completely

To eliminate all risks

To track and document risks for management decisions

To transfer risks to another party