Certified Information Security Manager (CISM) — Question 465

Which of the following is the MOST important reason for performing a cost-benefit analysis when implementing a security control?

Answer options

• A. To ensure that the mitigation effort does not exceed the asset value
• B. To ensure that benefits are aligned with business strategies
• C. To present a realistic information security budget
• D. To justify information security program activities

Correct answer: A

Explanation

The most critical reason for conducting a cost-benefit analysis is to confirm that the costs of implementing the security control do not surpass the value of the asset being protected, which aligns with option A. While aligning benefits with business strategies, presenting a budget, and justifying program activities are important, they are secondary to ensuring the cost-effectiveness of the security measure.