Thank you! Cheers!

I came here to say the same thing. HR conducts backgrounds, and upon successful completion of the hiring process, initializes the provisioning of an account by sending the request to the IT department. When employment is terminated, HR sends the deprovisioning request to IT. I think this question is the prime example of "think like a manager" and not apply the technical lens. I have heard over and over again that the CISSP is about a managerial mindset and not technical.

you are welcome

Risk avoidance would mean that she is changing her overall business model but in this case she is accepting the potential revenue loss and compliance risk. However based on the scenario presented, Alice's decision to forgo credit card payments due to the high cost of PCI DSS compliance aligns with the concept of risk acceptance as she is accepting the risk of not meeting PCI DSS standards and potential revenue loss because she has determined that the costs of compliance are too high compared to the benefits. The BEST answer is Risk Acceptance.

It appeared that Alice chose not to proceed with this additional line of business. The question was unclear on the SPECIFIC action that Alice took.

I think the way the question was structured wasn't specific enough..., but If I am correct, Risk Acceptance is the best choice, because I guess Alice accepted her current mode of card payment... the correct answer is not based on the decision of not going for PCI-DSS option. However, Risk avoidance would be best if Alice realized the risk of her current transaction of card payment is higher or cannot be easily mitigate compared to the PCI DSS.

The format of the questions is the same... remember, for CISSP, you have to think like a manager