CISM Certified Information Security Manager – Question0295
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? A. Countermeasure cost-benefit analysis B. Penetration testing C. Frequent risk assessment programs D. Annual loss expectancy (ALE) calculation
Correct Answer: A
Explanation:
Explanation:
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will contribute to the value of the risk but. alone, will not justify a control.
Please disable your adblocker or whitelist this site!