Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years.
Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in
the system for $25,000. The breached system is scheduled to be replaced in five years.
Which of the following should Sara do to address the risk?

A.
Accept the risk saving $10,000.

B.
Ignore the risk saving $5,000.

C.
Mitigate the risk saving $10,000.

D.
Transfer the risk saving $5,000.

Explanation:
Risk transference involves sharing some of the risk burden with someone else, such as an insurance
company. The cost of the security breach over a period of 5 years would amount to $30,000 and it is
better to save $5,000.
Incorrect Answers:
A: Risk acceptance is often the choice you must make when the cost of implementing any of the other
four choices exceeds the value of the harm that would occur if the risk came to fruition. In this case there
is no saving and the risk already happened.
B: Ignoring the risk will not save you $5,000 since the system is due to be replaced within a 5 year period
which will cost your company $30,000.
C: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing
antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall,
and so on. You should however address the security breach else there will be no saving.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 9