Certified in Risk and Information Systems Control (CRISC) — Question 297

Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Answer options

• A. Cost of the information control system.
• B. Cost versus benefit of additional mitigating controls.
• C. Annualized loss expectancy (ALE) for the system.
• D. Frequency of business impact.

Correct answer: B

Explanation

The correct answer is B, as it emphasizes weighing the cost against the benefits of implementing additional controls to mitigate risks. While the other options provide important information, they do not directly address the balance of cost and benefit that is crucial for effective risk management.