CISM Certified Information Security Manager – Question0306

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?

A.
Implement countermeasures.
B. Eliminate the risk.
C. Transfer the risk.
D. Accept the risk.

Correct Answer: C

Explanation:

Explanation:
Risks are typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing countermeasures may not be the most cost-effective approach to security management. Eliminating the risk may not be possible. Accepting the risk would leave the organization vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more cost effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.