CRISC Certified in Risk and Information Systems Control – Question789

Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

A.
Cost of the information control system.
B. Cost versus benefit of additional mitigating controls.
C. Annualized loss expectancy (ALE) for the system.
D. Frequency of business impact.

Correct Answer: C