Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be
implemented?

A.
Countermeasure cost-benefit analysis

B.
Penetration testing

C.
Frequent risk assessment programs

D.
Annual loss expectancy (ALE) calculation

Explanation:

In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy
(ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.