How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk?

A.
Reject the risk.

B.
Perform another risk analysis.

C.
Accept the risk.

D.
Reduce the risk.

Explanation:
Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four
basic ways: transfer it, avoid it, reduce it, or accept it.
One approach is to accept the risk, which means the company understands the level of risk it is faced with, as
well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.
Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure
outweighs the potential loss value.
Incorrect Answers:
A: Rejecting a risk is not a valid method of dealing with risk.
B: Performing another risk analysis will not help. It will most likely return the same results as the previous risk
analysis.
D: Reducing the risk would require a countermeasure. In this question, the countermeasure outweighs the cost
of the risk.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98