Controls are implemented to:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Controls are implemented to mitigate risk and reduce the potential for loss.
Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.
It is not feasible and possible to eliminate all risks and the potential for loss as risk/threats are constantly changing.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.
Controls are measures or safeguards put in place to reduce risk and minimize the potential for loss or damage to an organization's assets. They are implemented to manage risks to an acceptable level, and their effectiveness is measured by the degree to which they reduce the likelihood and impact of a security incident.
A. Eliminating risk and reducing potential loss may be an ideal outcome, but it is rarely achievable. Risk is an inherent part of any activity, and eliminating it entirely is neither practical nor cost-effective. The goal of controls is to reduce the risk to an acceptable level, rather than eliminating it altogether. Therefore, option A is not correct.
B. Mitigating risk and eliminating the potential for loss is also an ideal outcome but not always achievable. Mitigation involves reducing the probability or impact of a security incident, while elimination involves removing the threat altogether. While some risks can be eliminated, others cannot, and controls are designed to manage the remaining risks. Therefore, option B is not entirely correct.
C. Mitigating risk and reducing potential loss is the most accurate answer. Controls are designed to identify and reduce risk to an acceptable level, and they aim to minimize the potential for loss or damage to an organization's assets. This option acknowledges the fact that controls cannot eliminate all risk, but can reduce it to a tolerable level.
D. Eliminating risk and eliminating potential loss is an unrealistic goal. It is impossible to eliminate all risk or prevent all losses entirely. Controls are designed to manage risks and minimize losses, but they cannot eliminate them completely. Therefore, option D is not correct.
In conclusion, the most appropriate answer is C, which acknowledges that controls are designed to mitigate risk and reduce potential loss, rather than eliminate them altogether.