After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived.
The information security manager should recommend to business management that the risk be:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When the cost of control is more than the cost of the risk, the risk should be accepted.
Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more than the cost of the risk itself.
When a risk assessment is conducted, it identifies the potential risks to an organization and evaluates the potential impact and likelihood of each risk. The next step is to determine how to respond to each risk. One possible response is risk mitigation, which involves taking actions to reduce the likelihood or impact of the risk.
However, it is possible that the cost to mitigate a risk exceeds the benefit to be derived from the risk mitigation. In this situation, the information security manager should recommend to business management that the risk be accepted.
Risk acceptance means that the organization acknowledges the risk, but decides not to take any action to mitigate it. This decision is typically based on a cost-benefit analysis, where the cost of mitigating the risk is compared to the potential impact of the risk. If the cost to mitigate the risk is greater than the potential impact of the risk, it may make more sense to accept the risk.
Risk acceptance is not the same as ignoring the risk. It involves a deliberate decision by the organization to tolerate the risk, while monitoring the situation and being prepared to respond if the risk does materialize.
Therefore, the correct answer to this question is option C, accepted.