Once you identify risks, you have treatment options. The right choice depends on cost and impact.
Mitigate. Reduce risk with controls. Add encryption, deploy firewalls, train users.
Transfer. Shift risk elsewhere. Buy insurance. Use cloud providers. Hire managed services.
Accept. Acknowledge risk and do nothing. Appropriate when mitigation cost exceeds potential impact.
Avoid. Eliminate risk by removing the activity. Stop using vulnerable software.
Risk decisions should involve business stakeholders. Security identifies risks. Business decides acceptable levels.