CompTIA CySA+ (CS0-003) — Question 513

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

Answer options

• A. Avoid
• B. Transfer
• C. Accept
• D. Mitigate

Correct answer: A

Explanation

The correct answer is 'Avoid' because the CISO chose not to proceed with the software due to the unacceptable risk level, thereby avoiding the risk altogether. 'Transfer' would involve shifting the risk to another party, 'Accept' would mean acknowledging the risk without action, and 'Mitigate' would imply reducing the risk, which wasn't done in this case.