LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four standard risk-treatment strategies, and when does each apply?

VERMEIDEN (avoid) · REDUZIEREN (reduce) · VERSCHIEBEN/TRANSFER (transfer) · AKZEPTIEREN (accept).

Strategy What it means Typical use Position on matrix
VERMEIDEN (Avoid) Don't take the risk at all — stop the project, exit the market When risk is so high or so poorly understood that engagement is irresponsible Top-right (high likelihood, high impact)
REDUZIEREN (Reduce) Lower likelihood and/or impact via technology and process The default for most cyber risks — firewalls, ISMS/ISO 27001, training Likely + medium impact
VERSCHIEBEN (Transfer) Move the financial consequence to a third party — insurance, outsourcing Rare-but-severe events that are uneconomical to fully control Low likelihood, high impact
AKZEPTIEREN (Accept) Live with the risk; the upside outweighs the downside Low likelihood and low impact Bottom-left (green zone)

Crucial nuance: Accountability ≠ Responsibility.

You can transfer the risk handling (outsource the SOC, buy insurance) — but the accountability for the asset always remains with the organisation. If your outsourced cloud provider leaks customer data, your customers blame you, regulators fine you, and your CEO testifies — not the provider.

Tip: Mnemonic — the four verbs Avoid · Reduce · Transfer · Accept (German VRVAVermeiden, Reduzieren, Verschieben, Akzeptieren). NIST and ISO 27005 use slightly different words for the same four: Risk Modification (reduce), Retention (accept), Avoidance, and Sharing (transfer).

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026