You are the project manager of GHT project. You are performing cost and benefit analysis of
control. You come across the result that costs of specific controls exceed the benefits of mitigating
a given risk. What is the BEST action would you choose in this scenario?
A.
The enterprise may apply the appropriate control anyway.
B.
The enterprise should adopt corrective control.
C.
The enterprise may choose to accept the risk rather than incur the cost of mitigation.
D.
The enterprise should exploit the risk.
Explanation:
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of
mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of
mitigation. This is done according to the principle of proportionality described in:
Generally accepted security systems principles (GASSP)
Generally accepted information security principles (GAISP)
Answer A is incorrect. When the cost of specific controls exceed the benefits of mitigating a given
risk, then controls are not applied, rather risk is being accepted.
Answer D is incorrect. The risk is being exploited when there is an opportunity, i.e., the risk is
positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot
be done.
Answer B is incorrect. As the cost of control exceeds the benefits of mitigating a given risk, hence
no control should be applied.
Corrective control is a type of control and hence it should not be adopted.