Risk mitigation is the risk treatment approach focused onreducing risk to an acceptable levelby lowering either the likelihood of a risk event, the impact of that event, or both. In cybersecurity risk management, mitigation is accomplished by implementingcontrols and countermeasuressuch as technical safeguards, process changes, and administrative measures. Examples include patching vulnerable systems, hardening configurations, enabling multi-factor authentication, applying least privilege, network segmentation, encryption, improved logging and monitoring, secure development practices, and user awareness training. Each of these actions reduces exposure or limits damage if an incident occurs.
The other options describe different risk treatment strategies, not mitigation. Purchasing insurance is generally consideredrisk transfer, where financial impact is shifted to a third party, but the underlying threat and vulnerability may still exist. Eliminating risk by stopping the risky activity isrisk avoidance; it removes the exposure by discontinuing the process, system, or behavior causing the risk. Documenting the risk and preparing a recovery plan aligns more closely withrisk acceptancecombined withcontingency planningor resilience planning; it acknowledges the risk and focuses on recovery rather than reducing the probability of occurrence.
Therefore, the correct definition of risk mitigation is reducing the risk through implementing one or more countermeasures.
