A newly appointed risk management director for the IT department at your company, a major automobile parts manufacturer, needs to conduct a risk analysis for a new system which the developers plan to bring on-line in three weeks. The director begins by reviewing a thorough and well-written security assessment of the system. The report lists a manageable volume of infrequently exploited security

vulnerabilities. The likelihood of a malicious attacker exploiting one of the vulnerabilities is low; however, the director still has some reservations about approving the system. What is a valid reason behind the reservations he has?

A. Government regulations prevent the director from approving a system with vulnerabilities.
B. The resulting impact of even one attack being realized might cripple the company financially.
C. The director is being rushed to approve a project before an adequate assessment has been performed.
D. The director should be uncomfortable accepting any security vulnerabilities and should find time to correct them before the system is deployed.

B
Explanation: A valid reason behind the reservations that he has is the resulting impact of even one attack being realized might cripple the company financially.
Government regulations do NOT prevent the director from approving a system with vulnerabilities. It is next to impossible to eliminate all vulnerabilities. Government regulations will not require their elimination, just their mitigation.
An adequate assessment has been performed as indicated in the scenario.
Security vulnerabilities cannot be completely eliminated. The security director should try to mitigate them, but cannot expect to correct all of them.