CompTIA CySA+ (CS0-003) — Question 131

Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?

Answer options

• A. Transfer
• B. Mitigate
• C. Accept
• D. Avoid

Correct answer: B

Explanation

The correct answer is B (Mitigate) because the CISO is taking action to reduce the risk associated with the vulnerability by disabling the functionality. The other options do not fit: A (Transfer) involves shifting the risk to another party, C (Accept) means acknowledging the risk without action, and D (Avoid) suggests eliminating the risk entirely, which is not the approach in this scenario.