After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be
derived. The information security manager should recommend to business management that the risk be:

A.
transferred.

B.
treated.

C.
accepted.

D.
terminated.

Explanation:

When the cost of control is more than the cost of the risk, the risk should be accepted. Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.