After completing the risk assessment against information systems, your organization attempts to mitigate identified risks. Which of the following is least likely implemented? (Wentz QOTD)
A. Setting out information security policy
B. Deploying a signature-based IDS
C. Implementing biometric access control
D. Buying cybersecurity insurance

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Buying cybersecurity insurance.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

We typically implement security controls to mitigate risk. Security controls can be divided into three categories:

• Administrative: setting out information security policy
• Technical: deploying a signature-based IDS
• Physical: implementing a biometric-based physical access control system

Buying cybersecurity insurance is typically treated as a means of transferring risk instead of mitigating risk.

Reference

---

完成針對信息系統的風險評估後，您的組織將嘗試減輕已識別的風險。 以下哪項最不可能實施？ (Wentz QOTD)
A. 制定信息安全
B. 部署基於簽名的 IDS
C. 實施生物識別訪問控制
D. 購買網絡安全保險