Certified in Risk and Information Systems Control (CRISC) — Question 1173

An organization recently implemented an extensive risk awareness program after a cybersecurity incident. Which of the following is MOST likely to be affected by the implementation of the program?

Answer options

• A. Risk appetite
• B. Threat landscape
• C. Inherent risk
• D. Residual risk

Correct answer: D

Explanation

The correct answer is D, as the implementation of a risk awareness program is intended to reduce the risk that remains after controls are applied, which is known as residual risk. Options A, B, and C refer to broader concepts that may not be directly impacted by the awareness program itself, such as the organization's overall willingness to accept risk or the existing threats they face.