Final answer:
The statement is true; estimating the expected loss is a common approach to determine if the risk to an information asset is acceptable. It involves considering the potential impact and probability of a threat, such as a data breach, and is a part of an effective risk management strategy.
Step-by-step explanation:
To determine if the risk to an information asset is acceptable or not, estimating the expected loss that an organization may incur if the risk is exploited is indeed a common approach. Therefore, the statement that one must estimate the expected loss to determine if the risk is acceptable is true. In the context of risk management, this process involves an evaluation of potential threats and the likelihood of occurrence, alongside the severity of the resulting impact.
When formulating plans to mitigate potentially catastrophic risks, the concept of asymmetric risk becomes relevant. Underestimating a threat with low probability but high impact, like a data breach, can lead to significant damages. Conversely, over-preparing may result in wasted efforts, but the consequences are much less severe compared to the damages of under-preparation.
An effective risk management strategy requires a balance, as portrayed in decision-making processes. Investments such as insurance operate on a similar principle, providing coverage for low-probability, yet high-impact events. Understanding these dynamics of risk and return is crucial for making informed decisions in both individual and organizational contexts.