Certified Information Security Manager (CISM) — Question 353

Which of the following is an example of risk mitigation?

Answer options

• A. Improving security controls
• B. Discontinuing the activity associated with the risk
• C. Performing a cost-benefit analysis
• D. Purchasing insurance

Correct answer: A

Explanation

Improving security controls is a direct approach to reduce and manage risks, making it an example of risk mitigation. Discontinuing the activity associated with the risk (option B) eliminates the risk but does not mitigate it. Performing a cost-benefit analysis (option C) is more about evaluation than mitigation, and purchasing insurance (option D) is a transfer of risk rather than direct mitigation.