A security administrator plans on replacing a critical business application in five years. Recently, there was
a security flaw discovered in the application that will cause the IT department to manually re-enable user
accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take
two months to implement. Which of the following should the security administrator do in regards to the
application?

A.
Avoid the risk to the user base allowing them to re-enable their own accounts

B.
Mitigate the risk by patching the application to increase security and saving money

C.
Transfer the risk replacing the application now instead of in five years

D.
Accept the risk and continue to enable the accounts each month saving money

Explanation:
This is a risk acceptance measure that has to be implemented since the cost of patching would be too
high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must
make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation,
transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.
Incorrect Answers:
A: This is a business critical function and cannot be avoided, least of all by having the user base re-enable
their own user accounts.
B: Patching the application amounts to risk mitigation methods and would be too costly.
C: Replacing the application in five years’ time would still cost more than a monthly cost of having the IT
department manually re-enable the user accounts each month – even over 60 months.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 9-10