Exam CISSP topic 1 question 349 discussion

Not sure why people are choosing C. How can you calculate the ROI if you don't know the ARO?

"prior to the purchase" is a key. Answer C.

Not sure how you can calculate loss from "software bugs and vulnerabilities" before you buy? Vendor will unlikely disclose defects in adequate detail.

ARO not given, answer is A.

A. Answer C is not actively minimizing anything like the question is asking for. Answer A says "require" as well which could imply it is requiring the other company to have this test done so it may not add any extra cost to our organization.

While calculating potential losses is useful for risk assessment, it does not actively mitigate the risk. It’s more of a risk assessment step rather than a risk mitigation step. Testing the software to identify and fix issues is a more proactive approach to minimizing financial risk — or get an insurance coverage if applicable.

C or A ... Answer is C. It is much more wholesome and comprehensive than A.

Its asking what steps to take to minimize the financial risk. Wouldn't it be A to begin with because C is not really helping minimize anything?

Answer A) I think C is wrong. How can you calculate something when you don't know anything about the problems a software may or may not have. FYI, This is not a plug for this company...but it makes sense to do you due diligence prior to spending, potentially, millions on a software. https://www.testpros.com/automation/software-testing-services/

C. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system's overall price. To minimize financial risk, the manufacturing organization should perform a cost-benefit analysis by calculating the potential loss in revenue that could result from software bugs and vulnerabilities in the industrial machine system. By comparing this potential loss to the system's overall price, the organization can make an informed decision about whether the investment is justified and if additional measures, such as thorough testing, are necessary.

C. Calculate the possible loss in revenue to the organization due to software bugs and vulnerabilities, and compare that to the system's overall price. To minimize financial risk in the new venture prior to the purchase, the manufacturing organization should calculate the possible loss in revenue that could result from software bugs and vulnerabilities in the industrial machine system's software. By comparing this potential loss to the overall price of the system, the organization can make a more informed decision about whether the investment is financially viable. While the other options (requiring thorough testing by an independent company, hiring a performance tester, placing the machine behind a Layer 3 firewall) may be relevant to the organization's overall risk management strategy, they do not directly address the need to assess financial risk and determine the cost-effectiveness of the investment.

I go with A. While calculating the possible loss in revenue due to software bugs and vulnerabilities may be useful in assessing the financial risk, it is not a replacement for a thorough software testing process. The organization should prioritize testing the software in advance to reduce the risk of these issues occurring in the first place.

Can’t force accreditation unless other options available. Answer is C.

The financial risk to the manufacturing organization starting production is high. Risk Acceptance/Mitigation

I'm torn between A and C, anyone have input?