Which of the following risk management strategies would an o - CompTIA Security+ SY0-701
Question
Which of the following risk management strategies would an organization use to maintain a legacy system with known risks for operational purposes?
Answers
-
-
correct
-
-
Explanation
Correct Answer: B. Acceptance
Acceptance is used when an organization knowingly keeps a risk because it is necessary for operations or the cost/impact of fixing or replacing the system is too high.
In this case, the organization continues to run a legacy system with known risks because it is still required for business functions. They acknowledge the risk but decide to tolerate it rather than eliminate or transfer it.
Common reasons for risk acceptance with legacy systems:
-
System is critical to operations
-
Replacement is too expensive
-
No compatible modern alternative exists
-
Downtime risk is greater than the security risk
Why the other options are incorrect
a. Transference
Transference means shifting the risk to a third party (e.g., cyber insurance, outsourcing, managed services).
The scenario does not indicate the risk is being transferred—only that the system is being maintained internally despite known risks.
c. Avoidance
Avoidance means eliminating the risk entirely by discontinuing the activity/system.
If the organization avoided the risk, they would decommission or replace the legacy system, not continue operating it.
d. Mitigation
Mitigation involves reducing the likelihood or impact of the risk (patching, segmentation, compensating controls, etc.).
The question states the organization is maintaining the system with known risks for operational purposes—not actively reducing the risk—so this aligns with acceptance rather than mitigation.
No Payment Cards Needed
