Question

In the past, the risk committee at Company A has shown an aversion to even minimal amounts of risk acceptance. A security engineer is preparing recommendations regarding the risk of a proposed introducing legacy ICS equipment. The project will introduce a minor vulnerability into the enterprise. This vulnerability does not significantly expose the enterprise to risk and would be expensive against.

Which of the following strategies should the engineer recommended be approved FIRST?

A. Avoid
B. Mitigate
C. Transfer
D. Accept

Answer 1

The security engineer should recommend the mitigation strategy as the first option for dealing with the introduction of legacy ICS equipment that poses a minor vulnerability, especially given Company A's past risk aversion.

Step-by-step explanation:

When a security engineer is preparing recommendations for the risk committee regarding the introduction of legacy Industrial Control Systems (ICS) equipment that brings a minor vulnerability, they should consider the risk appetite of the company. Since Company A has shown an aversion to even minimal amounts of risk acceptance in the past, it is likely that the risk committee will favor a strategy that does not involve accepting any risk that can be otherwise managed.

Given this context, option B, Mitigate, is the strategy the security engineer should recommend first. Mitigation involves implementing measures to reduce the potential impact of the risk. This could be more appealing to the risk committee than option D, Accept, given their past aversion to risk acceptance. Options A, Avoid, and C, Transfer, could be considered if mitigation is not feasible or if mitigation steps still leave unacceptable levels of risk.