Sam is the security Manager of a financial institute. Senior management has requested he performs a risk
analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has
observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures,
controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy shouldSam recommend to the senior management to treat these risks?
A.
Risk Mitigation
B.
Risk Acceptance
C.
Risk Avoidance
D.
Risk transfer
Explanation:
Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost
of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept
risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.
Risk acceptance should be based on several factors. For example, is the potential loss lower than the
countermeasure? Can the organization deal with the “pain” that will come with accepting this risk? This second
consideration is not purely a cost decision, but may entail noncost issues surrounding the decision. For
example, if we accept this risk, we must add three more steps in our production process. Does that make
sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle
those?
Incorrect Answers:
A: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the
accepting of known risks because the cost benefit analysis shows that risk mitigation cost (countermeasures,
controls, or safeguard) is more than the potential lost that could be incurred.
C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an
application deemed to be a risk. This does not refer to the accepting of known risks because the cost benefit
analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential
lost that could be incurred.
D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This
would transfer the risk to the insurance company. This does not to the accepting of known risks because the
cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the
potential lost that could be incurred.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98