Most organizations have a security policy created by senior management, which lays out the philosophy of security in the organization and identifies big$-$picture security goals. In addition, organizations use personnel policies, such as separation of duties and mandatory vacations, to help prevent fraud. They also conduct training to raise the security awareness of personnel.

Organizations also review the performance of employees annually. A performance plan is a tool that sets goals for an employee. Performance plans have specific requirements for more effective outcomes.

$1.$ In addition to policies and training, should performance plans for all mid$-$ to senior$-$level employees include a specific objective or task related to IT risk management? Why or why not?

A risk mitigation plan includes details on how and when to implement countermeasures.

$1.$ Regarding the following, what do you believe plays the more significant role in the decision to implement a countermeasure that protects a mission$-$critical resource? Defend your choice with valid rationale.

o Cost to implement the countermeasure

o Operational impact of the countermeasure on normal operations