CRISC Certified in Risk and Information Systems Control – Question077

You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

A.
The enterprise may apply the appropriate control anyway.
B. The enterprise should adopt corrective control.
C. The enterprise may choose to accept the risk rather than incur the cost of mitigation.
D. The enterprise should exploit the risk.

Correct Answer: C

Explanation:

Explanation:
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in:

  • Generally accepted security systems principles (GASSP)
  • Generally accepted information security principles (GAISP)

Incorrect Answers:
A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied. Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.