nerdexam
EC-Council

312-50V11 · Question #785

Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures

The correct answer is A. Accept the risk. When residual risk falls below the accepted risk threshold, the organization should accept the risk rather than spend additional resources on further controls.

Information Security and Ethical Hacking Fundamentals

Question

Suppose your company has just passed a security risk assessment exercise. The results display that the risk of the breach in the main company application is 50%. Security staff has taken some measures and implemented the necessary controls. After that, another security risk assessment was performed showing that risk has decreased to 10%. The risk threshold for the application is 20%. Which of the following risk decisions will be the best for the project in terms of its successful continuation with the most business profit?

Options

  • AAccept the risk
  • BIntroduce more controls to bring risk to 0%
  • CMitigate the risk
  • DAvoid the risk

How the community answered

(46 responses)
  • A
    63% (29)
  • B
    22% (10)
  • C
    7% (3)
  • D
    9% (4)

Why each option

When residual risk falls below the accepted risk threshold, the organization should accept the risk rather than spend additional resources on further controls.

AAccept the riskCorrect

The risk has been reduced to 10%, which is already below the company's 20% risk threshold. Accepting risk is the appropriate decision when residual risk is within tolerable limits, as spending more resources to reduce it further provides diminishing business value and hinders project profitability.

BIntroduce more controls to bring risk to 0%

Introducing more controls to achieve 0% risk is neither practical nor cost-effective, and pursuing zero risk would consume resources far beyond what the business benefit justifies.

CMitigate the risk

Mitigation has already been performed successfully and the risk is now below the acceptable threshold, making further mitigation steps unnecessary and wasteful.

DAvoid the risk

Avoiding the risk would mean discontinuing the application entirely, which eliminates all business value and is not warranted when residual risk is already below the acceptable threshold.

Concept tested: Risk acceptance decision after residual risk threshold comparison

Source: https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

Topics

#risk assessment#risk threshold#risk acceptance#risk management

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice