Certified Information Security Manager (CISM) — Question 412

Which of the following is the MOST important criterion when deciding whether to accept residual risk?

Answer options

• A. Cost of replacing the asset
• B. Annual loss expectancy (ALE)
• C. Cost of additional mitigation
• D. Annual rate of occurrence

Correct answer: B

Explanation

The correct answer is B, Annual loss expectancy (ALE), as it quantifies the potential financial impact of risks that remain after mitigation efforts. Options A and C focus on costs related to the asset and additional measures, while D pertains to the frequency of risk occurrence, none of which directly assess the financial implications of accepting residual risk.