"....the following questions illustrate a general risk management framework: (1) What are you trying to protect?... (2) What are you trying to protect it from?.... (3) What is the likelihood of each threat occurring and the consequence if it does?.... (4) What kind of action does the program take in response to the threat? There are four ways of responding to a threat: acceptance, prevention, interdiction, and mitigation. The response that the program represents may be placed in one or more of these categories: (4.1) Acceptance - Acceptance of a threat is a rational alternative that is often chosen when the threat has low probability, low consequence, or both". For example, few people remain indoors during storms to avoid the low probability of being struck by lightning. (4.2) Prevention - Prevention is the alteration of the target or its circumstances to diminish the risk of the bad thing happening. (4.3) Interdiction - Interdiction is any confrontation with, or influence exerted on, an attacker to eliminate or limit its movement toward causing harm. (4.3) Mitigation - Mitigation is preparation so that, in the event of the bad thing happening, its consequences are reduced. (5) Does the response create new risks to the asset or others..." (Data Privacy and Integrity Advisory Committee, Report of the Data Privacy and Integrity Advisory Committee No. 2006-01, DHS, Privacy Office, March 29, 2006, pp. 3-4)