Which of the following could be BEST defined as the likelihood of a threat agent taking advantage of a
vulnerability?

A.
A risk.

B.
A residual risk.

C.
An exposure.

D.
A countermeasure.

Explanation:
A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a
firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in
an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood
that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system
(IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late.
Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
Incorrect Answers:
B: Residual risk is the risk that remains after countermeasures have been implemented.
C: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible
damages.
D: A countermeasure is a step taken to mitigate a risk.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 26