Exam CRISC topic 1 question 789 discussion

B. Cost versus benefit of additional mitigating controls. The most important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system is the cost versus the benefit of adding additional mitigating controls. Residual risk represents the level of risk that remains after controls have been applied. It's essential to evaluate whether the cost of implementing additional controls to further reduce this residual risk is justified by the potential benefits and the criticality of the system. While factors like the cost of the information control system, the annualized loss expectancy (ALE), and the frequency of business impact are relevant, they should be considered in the context of whether the cost of additional controls is proportionate to the reduction in risk they provide. This cost-benefit analysis helps organizations make informed decisions about accepting or mitigating residual risk.

Agree it is B.

Annualized loss expectancy (ALE) for the system can be a useful metric for assessing the overall risk profile of a critical system, but it is not as helpful as the cost versus benefit analysis in determining whether to accept residual risk or implement additional mitigating controls. ALE provides an estimate of the potential financial impact of a security incident, but it does not take into account the costs associated with implementing additional controls or the potential benefits that those controls could provide.

ALE determine total maximum amount can be expended to mitigate particular risk. Residual risk (Threats × vulnerability × asset value) × controls gap . Once mitigation of risk performed remaining risk compare against ALE. so will go with C as right answer. If question have talk about additional mitigation we may be consider B.

B makes more sense, it will include the ALE in the BIA

Can someone explain why C - ALE Is it because you are comparing it to the annual appetite?