What technique MOST clearly indicates whether specific risk-reduction controls should be implemented?

Cost-benefit analysis is a technique that evaluates the potential costs involved in implementing specific risk-reduction controls against the anticipated benefits of those controls. By conducting a cost-benefit analysis, organizations can determine whether the financial investment in controls will likely lead to a reduction in risk that outweighs the costs associated with implementing and maintaining those controls. This helps prioritize resource allocation and ensures that decisions are data-driven, aligning security investments with overall business objectives.

In contrast, penetration testing focuses on identifying vulnerabilities in a system by simulating an attack, but it does not directly indicate whether specific controls should be implemented based on cost versus benefit. Frequent risk assessment programs are essential for understanding the current risk landscape but do not necessarily provide a clear financial perspective on whether specific controls should be adopted. Similarly, annual loss expectancy calculations estimate potential losses due to risk but do not take into account the specific costs associated with implementing risk-reduction controls, nor do they provide a comparative analysis of costs and benefits of those controls.