Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years.
Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years.
Which of the following should Sara do to address the risk?
A.
Accept the risk saving $10,000.
B.
Ignore the risk saving $5,000.
C.
Mitigate the risk saving $10,000.
D.
Transfer the risk saving $5,000.
D.
Transfer the risk saving $5,000.
why is the answer D. Transfer the risk saving $5,000.
Annual Loss Expectancy = Annual Rate of Occurrence * Single Loss Expectancy
Single Loss Expectancy = Exposure Factor * Asset Value
4 security breaches during the past two years ~ 2 breaches per year
Single loss Expectancy = $3000 per breach >> $6000 per year
For next 5 years = 5 years * $6000 per year = $30,000
$30000 – $25000=$5000; are you transferring the risk or ignoring the risk
Answer D is correct and logical. ” Think of it “…Risk Transfer…” in terms of businness sense.
Thank you for your detailed answer
In risk management jargon transference should equal insurance. Therefore this example is talking about mitigation saving $5K but I guess transfer is closer because if the hole is repaired it wasn’t ignored.
Transfer risk to whom?
This risk is still on the company.
I think B is closer but is not so closer too.
The real answer would be accept the risk, saving $5,000, but that is not a choice. There is no one to “transfer” the risk to here. So the correct answer has to be B. Ignore the risk and save the $5,000 (ignoring a risk is basically the same as accepting a risk)