What term describes deciding to accept a risk identified during a test rather than mitigating the vulnerability?

Study for the SANS560 GIAC Penetration Tester (GPEN) Test. Study with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your exam!

Multiple Choice

What term describes deciding to accept a risk identified during a test rather than mitigating the vulnerability?

Explanation:
Risk acceptance is the decision to take on a risk rather than implementing controls to mitigate it. In practice, after identifying a vulnerability, you assess its likelihood and impact and determine that the cost, effort, or practicality of remediation isn’t justified compared to the risk it poses. You document the residual risk and monitor it, but do not deploy fixes or compensating controls. If you were to mitigate the risk, you’d be engaging in risk reduction, which lowers either the chance of exploitation or the impact of a successful exploit. If you were to transfer the risk, you’d shift the potential impact to another party, such as through insurance or outsourcing. If you were to avoid the risk, you’d change plans to eliminate exposure entirely, for example by not performing the activity that creates the vulnerability. So the correct term, describing the choice to accept the risk rather than mitigating it, is risk acceptance.

Risk acceptance is the decision to take on a risk rather than implementing controls to mitigate it. In practice, after identifying a vulnerability, you assess its likelihood and impact and determine that the cost, effort, or practicality of remediation isn’t justified compared to the risk it poses. You document the residual risk and monitor it, but do not deploy fixes or compensating controls.

If you were to mitigate the risk, you’d be engaging in risk reduction, which lowers either the chance of exploitation or the impact of a successful exploit. If you were to transfer the risk, you’d shift the potential impact to another party, such as through insurance or outsourcing. If you were to avoid the risk, you’d change plans to eliminate exposure entirely, for example by not performing the activity that creates the vulnerability.

So the correct term, describing the choice to accept the risk rather than mitigating it, is risk acceptance.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy