Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?
A . Historical cost of the asset
B . Acceptable level of potential business impacts
C . Cost versus benefit of additional mitigating controls
D . Annualized loss expectancy (ALE)
Answer: C
Explanation:
The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.