An information security manager has identified a risk with a high likelihood and high impact. The cost of mitigating the risk exceeds the potential loss. What is the MOST appropriate risk treatment strategy?
Why this answer
When mitigation cost exceeds potential loss, risk acceptance is appropriate if the risk is within the organization's risk appetite. Alternatively, risk transfer (e.g., insurance) could be considered, but acceptance is often the primary choice when the cost-benefit is negative.
Exam trap
Candidates may choose 'mitigate' without considering cost-benefit analysis; CISM emphasizes aligning treatment with business value.
Why the other options are wrong
Mitigation cost exceeds potential loss, making it inefficient.
Transfer (e.g., insurance) may still be expensive; acceptance is more direct when cost of transfer also high.
Avoidance would mean discontinuing the activity, which may not be feasible or cost-effective.