What factors might determine which traditional method for treating risk (reduce, transfer, avoid, redistribute, and accept) would be the most appropriate to take in order to appropriately manage identified risk? What are the three distinct stages found within the ISO 31000 Risk Management process and what are some example of how the security manager would carry each out? EXAMPLE:  The ISO 31000 Risk Management Standard provides process for managing risk and is applicable to all industries. The ISO 31000 is broken down into three stages, establishing context, risk assessment, and risk treatment. The first stage, establishing the context is the most important stage of the process. Setting the context allows managers to define the specific risk and how it relates to an organization’s objectives. The context stage relies on the, strengths, weaknesses, opportunities, and threats (SWOT) (2013, p. 59), which correlate to the organization’s internal and external environments. The second stage, risk assessment, allows for organizational members to come together for the purposes of identifying, assessing, and evaluating risk. The strengths and weakness from the first stage are applied in the risk assessment stage. The second stage takes into consideration the consequences, likelihood, and degree which may result from realization (2013, pp. 59-60). For managers to understand, or determine a level of consequence and likelihood, internal controls which alleviate risk must be considered (2013, p. 61). After identifying and assessing, leaders should rank risks in descending order of severity. Risk treatment is the final stage in the ISO 31000 standard. Risk treatment assists managers in determining mitigation strategies, broken down into five different methods; reduce the risk, transfer the risk, avoid the risk, redistribute the risk, or accept the risk. Reduction involves refining an enhancing current control measures. Transference entails entrusting an outside agency with the risk. Avoidance is the practice of eliminating the measure which is causing the risk. Redistribution implies spreading the risk to avoid a centralized vulnerability, and the last method of acceptance is simply being at terms with the risk, and consequences. I believe the two major factors in determining risk treatment are probability (non-security organization) and consequence. Authors Smith and Brooks advise against utilizing mathematical standards in the security industry as exhibited in probable statistics, instead security should focus on the likelihood of risk and the qualitative value. Consequence is associated with the damage and cost caused by a threat and can have impact on cost as it relates to financial, physical, intellectual, implicit, and perceptual costs (2013, pp. 55-56).