CompTIA
CAS-002 · Question #591
CAS-002 Question #591: Real Exam Question with Answer & Explanation
The correct answer is D: Avoid the risk. When the cost to remediate a security risk exceeds the value of the asset being acquired, the financially prudent decision is to avoid the risk entirely by abandoning the transaction.
Question
Company XYZ is in negotiations to acquire Company ABC for $1.2millon. Due diligence activities have uncovered systemic security issues in the flagship product of Company ABC. It has been established that a complete product rewrite would be needed with average estimates indicating a cost of $1.6millon. Which of the following approaches should the risk manager of Company XYZ recommend?
Options
- ATransfer the risk
- BAccept the risk
- CMitigate the risk
- DAvoid the risk
Explanation
When the cost to remediate a security risk exceeds the value of the asset being acquired, the financially prudent decision is to avoid the risk entirely by abandoning the transaction.
Common mistakes.
- A. Transferring the risk through insurance or contract indemnification would not eliminate the $1.6M remediation liability and is impractical when the defect is this systemic and well-documented.
- B. Accepting the risk means acknowledging and proceeding anyway, which is economically irrational when the cost to fix the problem exceeds the total purchase price.
- C. Mitigating the risk would require funding the $1.6M rewrite, which costs more than the acquisition itself and results in a guaranteed net loss.
Concept tested. Risk treatment selection using cost-benefit analysis
Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Community Discussion
No community discussion yet for this question.