What is the primary goal of risk management?

Correct answer: Identify, analyze, and mitigate risks to an acceptable level

Option B is correct because the primary goal of risk management in security frameworks such as CISSP is to identify threats and vulnerabilities, analyze their likelihood and impact, and apply safeguards or controls to reduce residual risk to a level the organization formally accepts as tolerable, balancing cost against protection. Option A is wrong because ignoring minor risks violates the risk management principle of comprehensive identification and conscious acceptance; unaddressed low-probability risks can aggregate or escalate into significant incidents. Option C is wrong because eliminating all risks is both technically impossible and economically infeasible; the realistic and correct objective is reducing risk to an acceptable level, not zero risk. Option D is wrong because transferring all risks to insurance or third parties is one response strategy among several, not the overarching goal, and some residual risk always remains with the organization regardless of transfer mechanisms.