Which of the following techniques MOST clearly indicates whether specific risk-reduction controls
should be implemented?
A.
Countermeasure cost-benefit analysis
B.
Penetration testing
C.
Frequent risk assessment programs
D.
Annual loss expectancy (ALE) calculation
Explanation:
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the
expected cost of loss. This can then be used to justify a specific control measure. Penetration
testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a
control. Frequent risk assessment programs will certainly establish what risk exists but will not
determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will
contribute to the value of the risk but. alone, will not justify a control.