The correct answer is The cost to implement the mitigation is greater than the asset value and expected loss.

The cost to implement the mitigation is greater than the asset value and expected loss is correct because risk acceptance is a valid decision when the expense of a control exceeds the expected benefit. Organizations commonly calculate expected loss as probability times impact and then compare that to the implementation and operational cost of a control. If the mitigation cost is higher than the asset value and the calculated expected loss then accepting the residual risk is the most plausible and rational business decision.

The cost to implement the mitigation is greater than the asset value and expected loss also fits the scenario of a large maritime logistics firm because these organizations balance availability and continuity needs against practical budgets and operational priorities. The assessor reported a weakness but not every reported weakness requires mitigation if the cost to fix it would be disproportionate to the benefit.

The probability of a denial of service incident is unknown is not the best reason because an unknown probability alone does not justify forgoing mitigation. Decision makers use expected loss estimates that incorporate uncertainty and they can apply conservative probabilities or sensitivity analysis rather than simply not acting.

Existing protections reduce the threat to an acceptable level is plausible but was marked incorrect because the question asks for the most plausible reason. If existing protections already made the risk acceptable then the assessor would likely note that. The stem instead points to a classic cost versus value trade off which makes the cost explanation stronger.

Implementing the recommended control is too complex to execute is not the primary reason in this case because complexity by itself does not explain why further defenses were not added. Complexity usually maps back to cost, timeline, or feasibility, and the cleaner explanation is that the cost and expected loss trade off made mitigation unjustifiable.

Full AWS Practitioner Certification Question