Much focus of risk mitigation is about implementing controls: preventative, detective and reactive. This is necessary in most cases, and continuous sustainment of those controls is critical, but it is not sufficient.
Avoiding risk by adjusting your reality. One of the, often forgotten, defender’s advantage is that in many circumstances we control the landscape and we can adjust it in our favor. There are many examples of this.
- Service heterogeneity and moving target defenses (trade-offs here of course, as some inherent risk reduction here can spike other risks).
- Service dependency isolation.
Neutralize or deter threats by a range of organization, but mostly system-wide, activities from legal and regulatory actions, societal norms, behavioral cues, education and deterrence.
In a world of Risk = Hazard + Outrage (h/t Peter Sandman) I don’t often see transference working as anything other than a method of recouping costs and off-setting certain types of loss absorbing capital.