Cybersecurity programs must have comprehensive strategies for risk and risk mitigation. Risk mitigation occurs late in the risk framework life cycle—after risk is identified, assessed, and prioritized. Risk mitigation is the systematic handling of risk in a manner appropriate for an organization. Risk mitigation is a key step within the risk framework. For effective cybersecurity, every organization should have a comprehensive risk mitigation policy.

Once risk is identified and assessed, there are many options to deal with it. Risk can be accepted, avoided, controlled, transferred, or watched/monitored. All strategies can be applicable to a particular situation in a modern organization. A strong understanding of the business mission, practices, and technology is usually required to ensure that risk mitigation strategies will truly be optimal and appropriate. In cases where the costs to mitigate risk are higher than the potential damage of the risk, organizations may consciously choose to accept the risk.

Risk control is the practice of implementing technology and policy in order to explicitly reduce the possibility of certain risk occurrences. Risk avoidance is the practice of avoiding the use of risky technology or business practices. For example, if one form of data storage is known to be vulnerable to malware, an organization could choose to use a different form of data storage.

Risk transfer assigns the risk to a different party, separate from the organization, to be accountable for the risk. Buying cybersecurity insurance policies is a way for organizations to transfer a portion or all risks of a particular type to a third party.

Organizations can also monitor and watch risk as another method of risk mitigation strategy. This strategy is often used for budgetary reasons or for situations where the magnitude of the risk is either undetermined or not fully understood.

Risk strategy is a continuously improving process, and organizations must maintain continuous awareness of their cybersecurity risk.