What can be defined as an event that could cause harm to the information systems?
A.
A risk
B.
A threat
C.
A vulnerability
D.
A weakness
Explanation:
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that
someone, or something, will identify a specific vulnerability and use it against the company or individual. The
entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder
accessing the network through a port on the firewall, a process accessing data in a way that violates the
security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could
expose confidential information.
Incorrect Answers:
A: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact.
C: A vulnerability is the absence or weakness of a safeguard that could be exploited.D: A weakness is the state of something being weak. For example, a weak security measure would be a
vulnerability. A weakness is not what is described in this question.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26