Which of the following is NOT a component of an Operations Security “triples”?

A.
Asset

B.
Threat

C.
Vulnerability

D.
Risk

Explanation:
The term operations security refers to the act of understanding the threats to and vulnerabilities of computer
operations in order to routinely support operational activities that enable computer systems to function correctly.
Like the other domains, the Operations Security domain is concerned with triples: threats, vulnerabilities, and
assets. We will now look at what constitutes a triple in the Operations Security domain:
A threat in the Operations Security domain can be defined as the presence of any potential event that could
cause harm by violating security. An example of an operations threat is an operator’s abuse of privileges
that violates confidentiality.
A vulnerability is defined as a weakness in a system that enables security to be violated. An example of an
operations vulnerability is a weak implementation of the separation of duties.
An asset is considered anything that is a computing resource or ability, such as hardware, software, data,
and personnel.‘Risk’ is not a component of the Operations Security “triples”.

Krutz, Ronald L. and Russel Dean Vines, The CISSP Prep Guide: Mastering the Ten Domains of Computer
Security, John Wiley & Sons, New York, 2001, p. 216
Krutz, Ronald L. and Russell Dean Vines, The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams,
2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 302