An organization's security team has completed a quantitative risk assessment. The ALE for a specific threat scenario is $500,000. A proposed control costs $600,000 annually to implement. What is the MOST appropriate recommendation?

Question

Accepted Answer

B. Do not implement the control because its annual cost exceeds the ALE. In quantitative risk assessment, the cost-benefit analysis requires that the cost of a control (annualized) not exceed the risk reduction it provides (ALE or the portion of ALE mitigated). A $600,000 annual control cost for a $500,000 ALE produces negative ROI, making the control economically unjustifiable unless other non-financial factors apply. The CAS-005 V5 objectives include risk management and impact analysis under the GRC domain.

An organization's security team has completed a quantitative risk assessment. The ALE for a specific threat scenario is $500,000. A proposed control costs $600,000 annually to implement. What is the MOST appropriate recommendation?

Related Questions

Discussion