Select the option that presents an INCORRECT attribution of residual or secondary risk.

a$.$ Organizations rely on various suppliers and partners. Even with due diligence, supply chain risks persist. A compromised supplier could introduce vulnerabilites into the organization's systems, creating residual risk.

b$.$ Organizations heavily rely on encryption to protect data in transit and at rest. However, if encryption keys are compromised $($secondary risk$).$ attackers can decrypt sensitve information, exposing data. It is an example of residual risk.

c$.$ Despite implementing security controls and risk assessments, a data breach remains a residual risk through a third$-$party vendor. For instance, if a vendor experiences a breach, sensitive data shared with them could be compromised.