A Chief Information Security Officer (CISO) determines that a major security incident will cost the company $500,000. The CISO purchases insurance to pay $400,000 of this projected cost. Which of the following risk management strategies has the CISO adopted?

Acceptance involves acknowledging the risk and choosing to bear the consequences without any proactive measures to transfer or mitigate it. In this scenario, the CISO has not accepted the full financial impact but instead has taken steps to alleviate it through insurance, which makes this choice incorrect.

Mitigation refers to strategies aimed at reducing the likelihood or impact of a risk through preventive measures. While purchasing insurance provides financial relief, it does not directly address the risk itself; rather, it shifts responsibility. Therefore, this choice does not accurately describe the CISO's actions.

Avoidance entails eliminating the risk entirely by changing plans or processes to prevent the risk from occurring. The CISO’s decision to purchase insurance does not eliminate the risk; it merely shifts the financial burden. Thus, avoidance does not apply in this situation.