Q). The cost of mitigating a risk should not exceed the:

A. annual loss expectancy.
B. value of the physical asset.
C. expected benefit to be derived.
D. cost to the perpetrator to exploit the weakness.

Answer: The correct answer is "C". The cost of mitigating a risk should never exceed the value that is expected to be derived from its implementation. To take an example, it would be absurd to spend $2000 to protect against a risk that in a worst case would create a loss of less than US $200. Annual loss expectancy is wrong since the remoteness of the likelihood may cause the ALE to be quite low. However, it may be worthwhile to spend an amount in excess of the ALE to protect against a loss that, if it occurred, would be significantly higher. It may be worthwhile to spend more than the value of a physical asset when that asset contains something of even higher value. The value of a backup tape is not so much the cost of the tape as it is the value of what is stored on that tape. Since the cost to a perpetrator can be very low to exploit a weakness, it is often necessary to spend a higher amount to prevent a perpetrator from exploiting a weakness.

Related Exam Questions

Transmitting an Encrypted Message
Forensic Backup Copies
Social Engineering Attacks
Managing Security Incidents