Certified Information Security Manager (CISM) — Question 340

A risk assessment exercise has identified the threat of a denial of service (DoS) attack. Executive management has decided to take no further action related to this risk. The MOST likely reason for this decision is:

Answer options

• A. the cost of implementing controls exceeds the potential financial losses.
• B. the risk assessment has not defined the likelihood of occurrence.
• C. executive management is not aware of the impact potential.
• D. the reported vulnerability has not been validated.

Correct answer: A

Explanation

The correct answer is A because if the cost to implement security measures is greater than the anticipated financial impact of a DoS attack, management may opt to accept the risk. Options B and C are incorrect as the question does not indicate a lack of likelihood assessment or awareness of impact, and option D is also not applicable since the decision was made despite the risk being identified.