You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

A. The enterprise may apply the appropriate control anyway.

B. The enterprise should adopt corrective control.

C. The enterprise may choose to accept the risk rather than incur the cost of mitigation.

D. The enterprise should exploit the risk.








 

Suggested Answer: C

If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in:
✑ Generally accepted security systems principles (GASSP)
✑ Generally accepted information security principles (GAISP)
Incorrect Answers:
A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied.
Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.

This question is in CRISC exam 
For getting Risk and Information Systems Control Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by ISACA.
The website does not contain actual questions and answers from ISACA's Certification Exams.
Trademarks, certification & product names are used for reference only and belong to ISACA.