Determining Whether to Accept Residual Risk | CISM Exam Question | ISACA

Greatest Importance to the Security Manager: Determining Whether to Accept Residual Risk

Prev Question Next Question

Question

Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls.

The other choices, although relevant, would not be as important.

In information security, residual risk refers to the risk that remains after applying controls to mitigate the initial risk to an acceptable level. It is impossible to eliminate all risk, and there will always be some level of residual risk that remains. As such, it is important for security managers to determine whether the residual risk is acceptable or not.

Out of the options given, the most important factor to consider when accepting residual risk is the acceptable level of potential business impacts (option B). This is because the purpose of information security is to protect the organization's assets and ensure the continuity of its operations. Acceptable level of potential business impacts is a measure of how much impact the organization can tolerate in the event of a security incident or breach.

For instance, if an organization has sensitive customer data that, if breached, could result in a loss of customer trust and reputation damage, the security manager must consider the acceptable level of potential business impacts before deciding whether to accept the residual risk.

Option C, cost versus benefit of additional mitigating controls, is also important because additional controls can further reduce the residual risk. However, the cost of implementing these controls must be balanced against the benefits they provide in reducing the residual risk.

Option A, historical cost of the asset, is not relevant when determining whether to accept residual risk. Historical cost refers to the cost of acquiring the asset and has no bearing on the risk associated with the asset.

Option D, annualized loss expectancy (ALE), is a useful metric in calculating the expected loss from a security incident or breach. However, it is not the most important factor to consider when accepting residual risk. ALE is a measure of the financial impact of a security incident or breach and is useful for determining the cost-effectiveness of mitigating controls.

In conclusion, when determining whether to accept residual risk, the security manager should consider the acceptable level of potential business impacts (option B) and the cost versus benefit of additional mitigating controls (option C).