According to the Certified Information Security Manager (CISM) Review Manual: "Decisions to accept residual risk should be based on considerations such as the cost-effectiveness of additional mitigation, the criticality of the asset to the enterprise’s mission, the asset’s value and the impact of the asset’s loss." (CISM Review Manual 15th Edition, p. 124)

The MOST important criterion when deciding whether to accept residual risk is the cost of additional mitigation. Therefore, the correct answer is option C.

even if the risk is equal or greater than the asset value, the annual rate of occurrence matters. so I think B

Most important is the ALE. You cannot decide to accept the risk if you have not defined the ALE and matched it up to the cost of mitigation.

Cost of Mitigating the Asset so answer would be C

If additional mitigation is too costly and not cost effective enough, you can only accept the risk

B. Annual loss expectancy (ALE)

Cost of additional mitigation. What if you have a high ALE but the cost of mitigation is even higher. I believe is always how much it cost.

I'm torn between B and, but leaning more towards C. If additional mitigation is not cost effective and the risk is still deemed too high, then the only other choice would be risk avoidance. But if that isn't possible, the only thing a business can do is accept the residual risk. ALE is important for determining a a potential loss an asset would suffer due to a threat realization over a year. But you can reduce ALE up to a point after which it stops being cost effective.

ANSWER C : The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.

i vote .....A. Cost of replacing the asset