Within the realm of IT security, which of the following combinations best defines risk?

A.
Threat coupled with a breach.

B.
Threat coupled with a vulnerability.

C.
Vulnerability coupled with an attack.

D.
Threat coupled with a breach of security.

Explanation:
Risk is defined as “the probability of a threat agent exploiting a vulnerability and the associated impact”.
The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of
the individual methodologies has the same basic core components (identify vulnerabilities, associate threats,
calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know
which is the best approach for your organization and its needs.
NIST developed a risk methodology, which is specific to IT threats and how they relate to information security
risks. It lays out the following steps:
System characterization
Threat identification
Vulnerability identification
Control analysis
Likelihood determination
Impact analysis
Risk determination
Control recommendations
Results documentation
Incorrect Answers:
A: Threat coupled with a breach is not the definition of risk.
C: Vulnerability coupled with an attack is not the definition of risk.
D: Threat coupled with a breach of security is not the definition of risk.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 77-79