CRISC Risk Response and Mitigation Strategies

Question 1

Which risk response option involves purchasing cyber liability insurance to cover potential losses?

Accepted Answer

Risk transfer

Answer

Risk transfer shifts the financial consequences of a risk to a third party (e.g., an insurer), though it does not eliminate the underlying risk.

Question 2

A company decides to discontinue an e-commerce feature because its security risks are too high. This is an example of:

Accepted Answer

Risk avoidance

Answer

Risk avoidance eliminates the risk entirely by choosing not to engage in the activity that creates the risk.

Question 3

Which factor is MOST important when selecting between risk mitigation options?

Accepted Answer

Cost-effectiveness relative to the risk reduction achieved

Answer

Risk response selection should be driven by whether the cost of the control is justified by the reduction in risk exposure it delivers.

Question 4

Residual risk that remains after mitigation controls are applied should be compared against which benchmark?

Accepted Answer

The organization's defined risk tolerance

Answer

Residual risk must be compared to the organization's risk tolerance to determine whether it has been reduced to an acceptable level.

Question 5

Which risk response is MOST appropriate for a low-likelihood, low-impact risk?

Accepted Answer

Risk acceptance

Answer

Low-likelihood, low-impact risks are typically accepted because the cost of mitigation outweighs the potential benefit.

CRISC - Certified in Risk and Information Systems Control Practice Test