1. The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken. Includes: (1) conducting a risk assessment; (2) implementing strategies to mitigate risks; (3) continuous monitoring of risk over time; and (4) documenting the overall risk management program.
Source: Explore Terms: A Glossary of Common Cybersecurity Terminology, National Initiative for Cybersecurity Careers and Studies (NICCS), https://niccs.us-cert.gov/about-niccs/glossary
2. The process of identifying, assessing, and controlling, risks arising from operational factors and making decisions that balance risk cost with mission benefits. (JP 1-02 & JP 2-0).
3. A process by which decision makers accept, reduce, or offset risk and subsequently make decisions that weigh overall risk against mission benefits. (DoDD 3020.40, Critical Infrastructure, 14 Jan 2010).
4. Process and resultant risk of systematically identifying, assessing and controlling risks. Commanders/Directors are required to identify critical assets and their subsequent protection requirements, including future expenditures required for the protection requirements. (DoD 5200.08-R, Physical Security Program, 9 Apr 2007).
5. The process of selecting and implementing security countermeasures to accept or mitigate the risk of a known or suspected threat to an acceptable level based on cost and effectiveness. (IC Standard 700-1, 4 Apr 2008).
Source: Terms & Definitions of Interest for DoD Counterintelligence Professionals, Office of the National Counterintelligence, https://www.dni.gov/files/NCSC/documents/ci/CI_Glossary.pdf