Given a specific risk, there are five strategies available to security decision makers to mitigate risk: avoidance, reduction, spreading, transfer and acceptance. The goal of most security programs is to reduce risk. Risk mitigation is accomplished by decreasing the threat level by eliminating or intercepting the adversary before they attack, blocking opportunities through enhanced security, or reducing the consequences if an attack should occur. Without question, the best strategy for mitigating risk is a combination of all three elements, decreasing threats, blocking opportunities and reducing consequences.
A logical mitigation strategy ties assets to threats to vulnerabilities to identify risks. Solutions for the identified risks typically enhance three facets of security: Policies, Procedures and Training; Physical/Electronic Security Systems; and Security Personnel. A sound mitigation strategy maximizes existing security resources (optimization) and prioritizes Policies first, Systems second, and Personnel third.