What is called the probability that a threat to an information system will materialize?
A.
Threat
B.
Risk
C.
Vulnerability
D.
Hole
Explanation:
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a
firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in
an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood
that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system
(IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late.
Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
Incorrect Answers:
A: A threat is any potential danger that is associated with the exploitation of a vulnerability.
C: A vulnerability is the absence or weakness of a safeguard that could be exploited.
D: A hole is not the probability that a threat to an information system will materialize.Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26