Operational/Organizational Security

Questions derived from the CompTIA SY0-101 – Security+ Self Test Software Practice Test.

Objective: Operational/Organizational Security
SubObjective: Understand and be able to explain the following concepts of risk identification: Asset Identification, Risk Assessment, Threat Identification, Vulnerabilities

Item Number: SY0-101.5.7.6
Single Answer, Multiple Choice

In which situation will you accept a risk?

1. When the cost of the safeguard exceeds the amount of the potential loss.
2. When the cost of the safeguard is equal to the amount of the potential loss.
3. When the cost of the safeguard is less than the amount of the potential loss.
4. When the cost of the safeguard is justifiable to fulfill the security objectives.

Answer:
A. When the cost of the safeguard exceeds the amount of the potential loss.

Tutorial:
An organization may decide not to implement a safeguard if its cost exceeds the amount of the potential loss. For example, it will not be wise to implement a $10,000 safeguard to protect information assets worth $7,000. In such a situation, an organization may choose to live with the risk. If the organization decides to accept the risk and is aware of the amount of loss it might incur, it is termed as a residual risk. Residual risk is the amount of risk that remains after applying the controls.

It is a prudent practice to transfer the residual risk through an insurance cover. This process ensures that an organization has sufficient coverage for the mitigation of loss that it might incur due to the residual risk. Rejecting the risk is not an effective security practice because the organization is aware of the loss potential but is not implementing controls to mitigate it.

Reference:
Wikipedia.org, Risk Analysis, http://en.wikipedia.org/wiki/Risk_analysis