Question 438 of 500
Risk Response and MitigationmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct choice is C, implementing technical controls like advanced email filtering and multi-factor authentication, because this directly addresses the organization’s low risk appetite by reducing both the likelihood and impact of phishing attacks through risk mitigation. While security awareness training is a compensating control that modifies behavior, it has proven insufficient on its own; technical controls such as SPF, DKIM, and DMARC validation block malicious emails at the gateway, and MFA neutralizes credential theft, thereby lowering residual risk to an acceptable level. On the CRISC exam, this scenario tests your ability to match a risk response to the organization’s risk appetite and the effectiveness of existing controls—a common trap is choosing transfer (option B) without verifying that outsourcing alone reduces likelihood, or accepting risk (option A) when appetite is low. Remember the memory tip: “Train the mind, but lock the gate”—training alone is a compensating control, but technical controls are the primary mitigation when appetite is low.

CRISC Risk Response and Mitigation Practice Question

This CRISC practice question tests your understanding of risk response and mitigation. Compare every option against the stated constraints before choosing — the best answer satisfies all requirements, not just the most obvious one. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options:

A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications.

Which course of action is most appropriate given the organization's risk appetite and the current situation?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.

Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Avoid the risk by discontinuing the use of email for business communications.

    Why it's wrong here

    Incorrect: Avoidance is impractical and would severely impact business operations.

  • Accept the risk because the training has reduced the likelihood, and further controls are too expensive.

    Why it's wrong here

    Incorrect: Attacks are still high, and low risk appetite makes acceptance unacceptable.

  • Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.

    Why this is correct

    Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).

    Why it's wrong here

    Incorrect: Transfer does not eliminate residual risk; human factor remains and MSSP may not fully address phishing.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may choose Option B (transfer) thinking outsourcing removes all risk, but in reality, the organization retains accountability for breaches and regulatory fines, making mitigation (Option C) the most appropriate response given the low risk appetite.

Detailed technical explanation

How to think about this question

Advanced email filtering leverages protocols like SPF (RFC 7208) to verify sender IPs, DKIM (RFC 6376) to validate email signatures, and DMARC (RFC 7489) to enforce policies on unauthenticated emails. MFA, such as time-based one-time passwords (TOTP) per RFC 6238, adds a second authentication factor that prevents credential theft from phishing from granting access. In real-world scenarios, combining these controls with user training creates a defense-in-depth approach, reducing the success rate of phishing attacks even when users are tricked.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CRISC practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CRISC practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CRISC question test?

Risk Response and Mitigation — This question tests Risk Response and Mitigation — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. — Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.

What should I do if I get this CRISC question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

6 more ways this is tested on CRISC

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:

medium
  • A.Risk Transfer
  • B.Risk Mitigation
  • C.Risk Acceptance
  • D.Risk Avoidance

Why B: Option A is correct because implementing controls reduces the risk, which is mitigation.

Variation 2. A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?

hard
  • A.Deny the existence of the risk
  • B.Purchase cyber insurance to cover potential losses
  • C.Avoid using the cloud CRM system
  • D.Include security requirements in the contract and perform regular vendor audits

Why D: Option A is correct because contractually requiring the vendor to adhere to security standards and performing audits is a common risk mitigation approach. Option B is wrong as transferring via insurance doesn't reduce the actual risk. Option C is wrong as avoidance by not using the system may be too drastic. Option D is wrong as denial is not a risk response.

Variation 3. Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?

easy
  • A.Risk Transfer
  • B.Risk Acceptance
  • C.Risk Mitigation
  • D.Risk Avoidance

Why C: Option B is correct because the firewall rule blocks malicious traffic, which reduces risk, i.e., mitigation.

Variation 4. Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?

hard
  • A.Risk of cost; set a budget alert
  • B.Risk of data exposure; apply a deny rule to restrict access
  • C.Risk of availability; implement backup
  • D.No risk; the policy is standard

Why B: Option A is correct because the policy allows anyone to read objects, leading to data exposure; the appropriate response is to apply a deny rule or restrict access.

Variation 5. Based on the exhibit, which risk response should be prioritized?

medium
  • A.Implement account lockout policy
  • B.Avoid by taking the server offline
  • C.Accept the risk because it's only a single server
  • D.Transfer the risk to a cloud provider

Why A: Option A is correct because implementing account lockout directly addresses the threat of brute-force attacks, which is mitigation.

Variation 6. An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?

hard
  • A.Accept the risk
  • B.Implement compensating controls
  • C.Transfer via insurance
  • D.Avoid by decommissioning

Why B: Option B is correct because compensating controls mitigate the risk without replacing the system. Options A, C, and D are either unacceptable or impractical.

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CRISC practice question is part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CRISC exam.