A security incident happens three times a year on a company's database server costing the company $1,500 in downtime per occurrence. The database server is only for archival access and is scheduled to be decommissioned in five years. The cost of implementing software to prevent this incident would be $15,000 initially, plus $1,000 a year for maintenance. Which of the following is the MOST cost

effective manner to deal with this risk?

A. Transfer the risk.
B. Accept the risk.
C. Avoid the risk.
D. Mitigate the risk.

---

D
Explanation: The most cost effective manner to deal with this risk is to mitigate it. Over the next five years, the security incident can occur 15 times. At $1,500 per occurrence, the total is $22,500. The software to prevent the incident would cost $15,000 plus $1,000 each year or $20,000. Because the control costs less than the expected costs of the incident, you should mitigate the risk.
You transfer a risk when you contract with a third party so that the third party is responsible for the risk.
You should accept a risk if the cost of the controls is more than the estimated incident costs.
You should not avoid the risk. From the scenario, it appears that your company cannot avoid this risk because it has already occurred.