After assessing and mitigating the risks of a web application, who should decide on the acceptance of residual
application risks?

A.
Information security officer

B.
Chief information officer (CIO)

C.
Business owner

D.
Chief executive officer (CFO)

Explanation:

The business owner of the application needs to understand and accept the residual application risks.