Cisco
350-201 · Question #108
350-201 Question #108: Real Exam Question with Answer & Explanation
The correct answer is C: cost-effectiveness of control measures. Assessing risk mitigation effectiveness centers on the cost-effectiveness of control measures, which quantifies whether security controls reduce risk sufficiently relative to their implementation cost.
Security Policies and Procedures
Question
What is needed to assess risk mitigation effectiveness in an organization?
Options
- Aanalysis of key performance indicators
- Bcompliance with security standards
- Ccost-effectiveness of control measures
- Dupdated list of vulnerable systems
Explanation
Assessing risk mitigation effectiveness centers on the cost-effectiveness of control measures, which quantifies whether security controls reduce risk sufficiently relative to their implementation cost.
Common mistakes.
- A. Key performance indicators measure broad operational or business outcomes and do not specifically quantify whether individual risk mitigation controls are reducing targeted risks.
- B. Compliance with security standards confirms conformance to regulatory or policy requirements but does not measure the actual degree of risk reduction achieved by specific mitigations.
- D. An updated list of vulnerable systems characterizes the current risk exposure rather than evaluating the effectiveness of mitigations that have already been applied.
Concept tested. Assessing risk mitigation via control cost-benefit effectiveness
Reference. https://csrc.nist.gov/publications/detail/sp/800-39/final
Topics
#risk mitigation#control effectiveness#cost-benefit analysis#KPI