Reduce Risk to Enhance Information Security | CISM Exam Preparation
Question
A risk management program should reduce risk to:
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Risk should be reduced to an acceptable level based on the risk preference of the organization.
Reducing risk to zero is impractical and could be cost-prohibitive.
Tying risk to a percentage of revenue is inadvisable since there is no direct correlation between the two.
Reducing the probability of risk occurrence may not always be possible, as in the ease of natural disasters.
The focus should be on reducing the impact to an acceptable level to the organization, not reducing the probability of the risk.
The correct answer is B: an acceptable level.
Risk management is an essential component of information security management, and it involves identifying, assessing, and controlling risks to an organization's information assets. The ultimate goal of risk management is to reduce risks to an acceptable level, which means that the organization can operate without incurring unacceptable losses or disruptions to its operations.
Option A: zero is not a realistic goal in risk management. It is not possible to completely eliminate all risks, and attempting to do so would be prohibitively expensive and impractical.
Option C: an acceptable percent of revenue is not a useful metric for risk management. The amount of revenue generated by an organization has no direct relationship to the level of risk it faces, and using this metric could result in an organization accepting unacceptably high levels of risk.
Option D: an acceptable probability of occurrence is a useful metric for assessing risk, but it should be used in conjunction with other factors such as the potential impact of a risk event and the organization's risk appetite.
Option B: an acceptable level is the most appropriate goal for a risk management program. This means that the organization has identified its key risks and has implemented controls to reduce those risks to a level that is acceptable to the organization. The acceptable level will vary depending on the organization's risk appetite, its business objectives, and the nature of its operations.
In summary, an effective risk management program should aim to reduce risk to an acceptable level, taking into account factors such as the potential impact of a risk event, the organization's risk appetite, and its business objectives.
