
Your company is a well-known cloud services provider. You learned about from a threat intelligence report that the Meltdown and Spectre bugs are hardware-level vulnerabilities affecting almost all brands of CPUs. The Meltdown attack allows a rogue process exploiting the race condition to read all memory space and leads to unauthorized access. The Spectre attack is a timing attack employing the speculative execution so that even a scripted malware can read all the process’s memory. After iterations of risk treatments, the latest software patches still hinder the system performance significantly. Supported by considering all the risk treatment options, the senior management decides to accept the risk. Which of the following least reflects the management decision?
A. Monitor and respond to the risk until the risk materializes
B. The risk exposure of inherent risk is lower than the risk acceptance criteria
C. The risk exposure of residual risk is lower than the risk acceptance criteria
D. Leave the risk in the risk register and keep monitoring it


