What does "in theory" imply when developing options to mitigate risks?

The phrase "in theory" implies that while various options for risk mitigation can be conceived or proposed on paper, not all of them may be practical or viable in real-world scenarios. This consideration encompasses aspects such as feasibility, cost-effectiveness, and the specific context of the risks being addressed. Even if an option appears sound theoretically, factors such as resources available, organizational constraints, or the unique aspects of the risk may influence whether that option can be realistically implemented.

In the context of risk assessment and mitigation, understanding that theoretical possibilities may not translate into actionable items is crucial for developing effective strategies. This nuanced understanding helps security professionals evaluate the practical application of their suggestions and choose the most suitable courses of action based on real-world limitations.