Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The project team identified some risks as follows:
R001 – The company’s reputation might be damaged.
R002 – The business process of shipping might be disrupted.
R003 – The attackers might initiate distributed denial of services (DDOS).
Aa a security professional, which of the following should be mitigated first?
A. R001
B. R002
C. R003
D. None of the above

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. None of the above.

This question is asking about “mitigated first.” The term “first” implies that the risks are prioritized, and the term “mitigated” specifies the risk treatment option or strategy.

An informed decision should be made based on sufficient information or due diligence. There are three risks available. What’re the criteria to prioritize them? It’s common to prioritize risk based on risk exposure or risk score, which take likelihood and impact into consideration.

R001 doesn’t describe what event or condition may happen (likelihood) that will damage the company’s reputation (impact). R002 doesn’t either. R003 describes the event (likelihood) but without impact.

As the risks are not described or defined well, the risk analysis can’t be effective to work out risk exposures or risk scores.

A risk can be avoided, transferred, mitigated, accepted, or escalated. You can’t decide how to respond or handle a risk before the risk assessment is completed.

As a result, you shouldn’t take any action. None of the above should be handled.