- A
Avoid the risk by discontinuing the use of email for business communications.
Why wrong: Incorrect: Avoidance is impractical and would severely impact business operations.
- B
Accept the risk because the training has reduced the likelihood, and further controls are too expensive.
Why wrong: Incorrect: Attacks are still high, and low risk appetite makes acceptance unacceptable.
- C
Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.
- D
Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).
Why wrong: Incorrect: Transfer does not eliminate residual risk; human factor remains and MSSP may not fully address phishing.
Quick Answer
The correct choice is C, implementing technical controls like advanced email filtering and multi-factor authentication, because this directly addresses the organization’s low risk appetite by reducing both the likelihood and impact of phishing attacks through risk mitigation. While security awareness training is a compensating control that modifies behavior, it has proven insufficient on its own; technical controls such as SPF, DKIM, and DMARC validation block malicious emails at the gateway, and MFA neutralizes credential theft, thereby lowering residual risk to an acceptable level. On the CRISC exam, this scenario tests your ability to match a risk response to the organization’s risk appetite and the effectiveness of existing controls—a common trap is choosing transfer (option B) without verifying that outsourcing alone reduces likelihood, or accepting risk (option A) when appetite is low. Remember the memory tip: “Train the mind, but lock the gate”—training alone is a compensating control, but technical controls are the primary mitigation when appetite is low.
CRISC Risk Response and Mitigation Practice Question
This CRISC practice question tests your understanding of risk response and mitigation. Compare every option against the stated constraints before choosing — the best answer satisfies all requirements, not just the most obvious one. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options:
A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications.
Which course of action is most appropriate given the organization's risk appetite and the current situation?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Avoid the risk by discontinuing the use of email for business communications.
Why it's wrong here
Incorrect: Avoidance is impractical and would severely impact business operations.
- ✗
Accept the risk because the training has reduced the likelihood, and further controls are too expensive.
Why it's wrong here
Incorrect: Attacks are still high, and low risk appetite makes acceptance unacceptable.
- ✓
Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
Why this is correct
Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).
Why it's wrong here
Incorrect: Transfer does not eliminate residual risk; human factor remains and MSSP may not fully address phishing.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may choose Option B (transfer) thinking outsourcing removes all risk, but in reality, the organization retains accountability for breaches and regulatory fines, making mitigation (Option C) the most appropriate response given the low risk appetite.
Detailed technical explanation
How to think about this question
Advanced email filtering leverages protocols like SPF (RFC 7208) to verify sender IPs, DKIM (RFC 6376) to validate email signatures, and DMARC (RFC 7489) to enforce policies on unauthenticated emails. MFA, such as time-based one-time passwords (TOTP) per RFC 6238, adds a second authentication factor that prevents credential theft from phishing from granting access. In real-world scenarios, combining these controls with user training creates a defense-in-depth approach, reducing the success rate of phishing attacks even when users are tricked.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Risk Response and Mitigation — study guide chapter
Learn the concepts, then practise the questions
- →
Risk Response and Mitigation practice questions
Targeted practice on this topic area only
- →
All CRISC questions
500 questions across all exam domains
- →
Certified in Risk and Information Systems Control CRISC study guide
Full concept coverage aligned to exam objectives
- →
CRISC practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related CRISC practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
IT Risk Identification practice questions
Practise CRISC questions linked to IT Risk Identification.
Risk Response and Mitigation practice questions
Practise CRISC questions linked to Risk Response and Mitigation.
Risk and Control Monitoring and Reporting practice questions
Practise CRISC questions linked to Risk and Control Monitoring and Reporting.
IT Risk Assessment practice questions
Practise CRISC questions linked to IT Risk Assessment.
CRISC fundamentals practice questions
Practise CRISC questions linked to CRISC fundamentals.
CRISC scenario practice questions
Practise CRISC questions linked to CRISC scenario.
CRISC troubleshooting practice questions
Practise CRISC questions linked to CRISC troubleshooting.
Practice this exam
Start a free CRISC practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this CRISC question test?
Risk Response and Mitigation — This question tests Risk Response and Mitigation — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. — Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.
What should I do if I get this CRISC question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
6 more ways this is tested on CRISC
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:
medium- A.Risk Transfer
- ✓ B.Risk Mitigation
- C.Risk Acceptance
- D.Risk Avoidance
Why B: Option A is correct because implementing controls reduces the risk, which is mitigation.
Variation 2. A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?
hard- A.Deny the existence of the risk
- B.Purchase cyber insurance to cover potential losses
- C.Avoid using the cloud CRM system
- ✓ D.Include security requirements in the contract and perform regular vendor audits
Why D: Option A is correct because contractually requiring the vendor to adhere to security standards and performing audits is a common risk mitigation approach. Option B is wrong as transferring via insurance doesn't reduce the actual risk. Option C is wrong as avoidance by not using the system may be too drastic. Option D is wrong as denial is not a risk response.
Variation 3. Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?
easy- A.Risk Transfer
- B.Risk Acceptance
- ✓ C.Risk Mitigation
- D.Risk Avoidance
Why C: Option B is correct because the firewall rule blocks malicious traffic, which reduces risk, i.e., mitigation.
Variation 4. Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?
hard- A.Risk of cost; set a budget alert
- ✓ B.Risk of data exposure; apply a deny rule to restrict access
- C.Risk of availability; implement backup
- D.No risk; the policy is standard
Why B: Option A is correct because the policy allows anyone to read objects, leading to data exposure; the appropriate response is to apply a deny rule or restrict access.
Variation 5. Based on the exhibit, which risk response should be prioritized?
medium- ✓ A.Implement account lockout policy
- B.Avoid by taking the server offline
- C.Accept the risk because it's only a single server
- D.Transfer the risk to a cloud provider
Why A: Option A is correct because implementing account lockout directly addresses the threat of brute-force attacks, which is mitigation.
Variation 6. An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?
hard- A.Accept the risk
- ✓ B.Implement compensating controls
- C.Transfer via insurance
- D.Avoid by decommissioning
Why B: Option B is correct because compensating controls mitigate the risk without replacing the system. Options A, C, and D are either unacceptable or impractical.
Keep practising
More CRISC practice questions
- Match each risk response strategy to its definition.
- Match each information security objective to its description.
- A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager id…
- You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based…
- A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitiv…
- An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with ident…
Last reviewed: Jun 25, 2026
This CRISC practice question is part of Courseiva's free ISACA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CRISC exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.