Terminate Tolerate Transfer or Treat

August, 2016
IDA document: D-8114
FFRDC: Systems and Analyses Center
Type: Research Insights
Division: Information Technology and Systems Division
Authors:
A cyber vulnerabilities risk management approach should offer decision makers several choices for responding when assets are assessed as vulnerable to or experiencing cyber exploitation. Rather than simply accepting risk or investing in a mitigation action, decision makers need a framework to help them manage the dynamic, accelerating pace of cyber intrusion incidents. A framework based on the choices of Terminate, Tolerate, Transfer, and Treat affords a deeper understanding of what could be gained or lost. These choices present opportunities and consequences. The framework applies equally well to early investments and fully operational systems. Specific considerations for fully operational systems include the following.