After assessing and mitigating the risks of a web application, who should decide on the
acceptance of residual application risks?

A.
Information security officer

B.
Chief information officer (CIO)

C.
Business owner

D.
Chief executive officer (CF.O)

Explanation:

The business owner of the application needs to understand and accept the residual application
risks.