Certified Chief Information Security Officer (CCISO) — Question 157

In which of the following cases, would an organization be more prone to risk acceptance vs. risk mitigation?

Answer options

• A. The organization uses exclusively a qualitative process to measure risk
• B. The organization's risk tolerance is low
• C. The organization uses exclusively a quantitative process to measure risk
• D. The organization's risk tolerance is high

Correct answer: D

Explanation

An organization with a high risk tolerance is more inclined to accept risks rather than mitigate them, as they are comfortable with the potential impacts. In contrast, organizations with low risk tolerance or those relying solely on qualitative or quantitative measures may prefer to implement risk mitigation strategies to safeguard against potential threats.