CompTIA Security+ (SY0-601) — Question 231

Which of the following scenarios BEST describes a risk reduction technique?

Answer options

• A. A security control objective cannot be met through a technical change, so the company purchases insurance and is no longer concerned about losses from data breaches.
• B. A security control objective cannot be met through a technical change, so the company implements a policy to train users on a more secure method of operation.
• C. A security control objective cannot be met through a technical change, so the company performs regular audits to determine if violations have occurred.
• D. A security control objective cannot be met through a technical change, so the Chief Information Officer decides to sign off on the risk.

Correct answer: B

Explanation

The correct answer is B because implementing a policy to train users on secure operations actively reduces risk by improving user behavior. Options A and D involve transferring or accepting risk without addressing the underlying issue, while option C focuses on detection rather than prevention.