The cost of implementing a security control should not exceed the: 

Answer options:

A. annualized loss expectancy.
B. cost of an incident.
C. asset value.
D. implementation opportunity costs.

C

The cost of implementing security controls should not exceed the worth of the asset. Annualized loss expectancy represents the losses drat are expected to happen during a single calendar year. A security mechanism may cost more than this amount (or the cost of a single incident) and still be considered cost effective. Opportunity costs relate to revenue lost by forgoing the acquisition of an item or the making of a business decision.