Which is the most valuable technique when determining if a specific security control should be implemented?
A.
Risk analysis
B.
Cost/benefits analysis
C.
ALE results
D.
Identifying the vulnerabilities and threats causing the risk
Explanation:
A risk analysis is performed to identify risks and come up with
suggested countermeasures. The ALE tells the company how much it could lose if a
specific threat became real. The ALE value will go into the cost/benefit analysis,
but the ALE does not address the cost of the countermeasure and the benefit of a
countermeasure.