1 / 5
A finding that is critical AND easy to exploit should be prioritised as ___.
-
-
-
-
High severity combined with high exploitability is the most dangerous combination and should top the remediation queue.
2 / 5
A low-effort fix that removes a real risk is often called a ___.
-
-
-
-
Quick wins (e.g. enabling a header, rotating a key) deliver disproportionate risk reduction for little effort and build momentum.
3 / 5
When leadership decides to live with a low risk rather than fix it, that's documented as risk ___.
-
-
-
-
Risk acceptance is a deliberate, documented decision by an accountable owner to tolerate a residual risk.
4 / 5
Stating 'criticals within 7 days, highs within 30' defines remediation ___.
-
-
-
-
Remediation SLAs tie severity to a deadline, making expectations concrete and trackable for the engineering team.
5 / 5
Recommending which fixes to do first based on impact and effort is a ___ exercise.
-
-
-
-
Prioritisation sequences remediation by balancing risk reduction against the cost to fix, so limited capacity is spent well.