Which approach involves continually balancing protection of agency information and assets with the cost of security controls and mitigation strategies?

Balancing protection of agency information and assets with the cost of security controls is risk management in practice. It treats security as an ongoing decision-making process: identify what needs protection, assess threats and vulnerabilities, estimate risk, and then select controls that reduce risk to an acceptable level while considering cost, complexity, and operational impact. This approach leads to a cost-effective security posture where residual risk aligns with the organization’s risk tolerance, and it’s repeated whenever assets, threats, or budgets change. Other options focus on specific concepts—defense in depth emphasizes layering defenses, compliance-driven approaches aim to meet external standards, and formal certification is about obtaining an official attestation—rather than continuously optimizing security investments against risk.