You are the project manager of GHT project.
You are performing cost and benefit analysis of control.
You come across the result that costs of specific controls exceed the benefits of mitigating a given risk.
What is the BEST action would you choose in this scenario?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation.
This is done according to the principle of proportionality described in: -> Generally accepted security systems principles (GASSP) -> Generally accepted information security principles (GAISP) Incorrect Answers: A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied.
Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive.
But here in this case, negative risk exists as it needs mitigation.
So, exploitation cannot be done.
When costs of specific controls exceed the benefits of mitigating a given risk, the best action to choose in this scenario would be to opt for risk acceptance instead of incurring the cost of mitigation. The option C, "The enterprise may choose to accept the risk rather than incur the cost of mitigation," is the most appropriate in this situation.
Risk acceptance is an option for addressing risks where the cost of implementing controls is greater than the cost of the potential risk. By accepting the risk, the organization acknowledges that the risk exists, but chooses to forego implementing controls to mitigate it.
However, the decision to accept a risk should be made with careful consideration and approval from the relevant stakeholders. This involves evaluating the potential consequences of the risk, the impact on the organization's objectives, and the likelihood of the risk occurring. It is also important to ensure that the organization has a plan in place to monitor the risk and take action if necessary.
The other options are not appropriate in this scenario. Option A, "The enterprise may apply the appropriate control anyway," is not recommended because it is not cost-effective to apply a control that costs more than the benefits it provides. Option B, "The enterprise should adopt corrective control," assumes that a corrective control exists and is cost-effective, which may not always be the case. Option D, "The enterprise should exploit the risk," is not a recommended option as it involves taking advantage of the risk rather than mitigating it, which can lead to negative consequences for the organization.