Certified in Risk and Information Systems Control (CRISC) — Question 835

Risk acceptance of an exception to a security control would MOST likely be justified when:

Answer options

• A. the end-user license agreement has expired.
• B. automation cannot be applied to the control.
• C. the control is difficult to enforce in practice.
• D. business benefits exceed the loss exposure.

Correct answer: D

Explanation

The correct answer is D because risk acceptance is often justified when the advantages to the business are greater than the risks of potential losses. Options A, B, and C do not directly address the balance of benefits versus risks, making them less relevant in the context of justifying risk acceptance.