A cybersecurity analyst assesses vulnerabilities in a legacy, mission-critical application that cannot be patched without major downtime. The flaws are rarely exploited in the wild, potential impact is low, and strong compensating controls with continuous monitoring are in place. Which risk treatment should the analyst recommend?
Recommend transferring the risk to a third-party vendor specializing in legacy application security.
Recommend mitigating the risk immediately by taking the application offline for patching.
Recommend accepting the risk and continue monitoring for any changes in threat exposure.
Recommend avoiding the risk by ceasing the use of the application and seeking an alternative solution.
Accepting the risk is appropriate because the likelihood and impact are low, remediation would cause significant operational disruption, and layered monitoring controls can promptly detect misuse. Transferring risk would not remove the operational burden, immediate mitigation would create unacceptable downtime, and avoiding the risk would mean retiring a mission-critical system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
Why is accepting risk considered the best option for this scenario?
Open an interactive chat with Bash
When is transferring risk a suitable option in cybersecurity?