What is the process called that aims to reduce risk impact or likelihood?

The correct answer is "Mitigation" because it refers specifically to the process of implementing strategies and measures to reduce the severity of risks or the likelihood of their occurrence. In the context of risk management, mitigation involves identifying potential risks and taking proactive steps to minimize their impact on an organization, thereby enhancing the overall security posture.

Mitigation strategies can include various actions such as putting in place security controls, creating backup systems, training staff on proper protocols, or even transferring risk through insurance. The goal is to lessen the consequences if a risk does materialize, which aligns directly with the concept of risk management.

While the other terms may seem related, they do not fully encapsulate the core focus of reducing risk impact or likelihood in the same way that mitigation does. Prevention might imply stopping a risk before it occurs but doesn't specifically address the reduction of impact. Reduction also implies a similar concept but lacks the breadth that mitigation encompasses, which includes both the likelihood and the consequences. Control can refer to managing risks but is often broader and may not emphasize the specific strategies to reduce risk as effectively as mitigation does.