Effective security management:

A.
Achieves security at the lowest cost

B.
Reduces risk to an acceptable level

C.
Prioritizes security for new products

D.
Installs patches in a timely manner

Explanation:
B: There will always be residual risk accepted by an organization, and effective security management will minimize this risk to a level that fits within the organizations risk tolerance or risk profile. Page 408.