PrepAway - Latest Free Exam Questions & Answers

What type of approach is her company taking to handle the risk posed by the system?

Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company’s e-mail system. What type of approach is her company taking to handle the risk posed by the system?

PrepAway - Latest Free Exam Questions & Answers

A.
Risk mitigation

B.
Risk acceptance

C.
Risk avoidance

D.
Risk transference

Explanation:
A: Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. By implementing security controls such as antivirus and antispam software, Sue is
reducing the risk posed by her company’s e-mail system. This is also referred to as risk mitigation, where the risk is decreased to a level considered acceptable. In addition to the
use of IT security controls and countermeasures, risk can be mitigated by improving procedures, altering the environment, erecting barriers to the threat, and implementing early
detection methods to stop threats as they occur, thereby reducing their possible damage.
B is incorrect because risk acceptance does not involve spending money on protection or countermeasures, such as antivirus software. When accepting risk, the company
understands the level of risk it is faced with, as well as the potential cost of damage, and decides to live with it without implementing countermeasures. Many companies accept
risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.
C is incorrect because risk avoidance involves discontinuing the activity that is causing the risk, and in this case Sue’s company has chosen to continue to use e-mail. A
company may choose to terminate an activity that introduces risk if that risk outweighs the activity’s business need. For example, a company may choose to block social media
Web sites for some departments because of the risk they pose to employee productivity.
D is incorrect because risk transference involves sharing the risks with another entity as in purchasing of insurance to transfer some of the risk to the insurance company.
Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance.


Leave a Reply