Identifying residual risk is MOST important to which of the following concepts?
A.
Risk deterrence
B.
Risk acceptance
C.
Risk mitigation
D.
Risk avoidance
Explanation:
Risk acceptance is often the choice you must make when the cost of implementing any of the other four
choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as
acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to
be an identified risk for which those involved understand the potential cost or damage and agree to
accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)
Incorrect Answers:
A: Risk deterrence involves understanding something about the enemy and letting them know the harm
that can come their way if they cause harm to you.
C: Risk mitigation is accomplished any time you take steps to reduce risk. This category includes installing
antivirus software, educating users about possible threats, monitoring network traffic, adding a firewall,
and so on.
D: Risk Avoidance is the opposite of risk acceptance and involves identifying a risk and making the
decision not to engage any longer in the actions associated with that risk.D Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 3, 9, 10
Amid all of the sales comments on this forum–here is a legit concern about this question. If you are looking at residual risk, then you presumably have a specific risk which may have been mitigated. The leftover or residual risk is what you consider when you decide to accept that risk. If the leftover risk is too high, then you need more mitigation. I think that Risk acceptance is a preferable answer.
0
0