PrepAway - Latest Free Exam Questions & Answers

Which of the following is NOT a part of a risk analysis?

Which of the following is NOT a part of a risk analysis?

PrepAway - Latest Free Exam Questions & Answers

A.
Identify risks

B.
Quantify the impact of potential threats

C.
Provide an economic balance between the impact of the risk and the cost of the associated
countermeasure

D.
Choose the best countermeasure

Explanation:
Risk assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to
determine where to implement security controls. A risk assessment is carried out, and the results are analyzed.
Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats.
Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much
security, not enough security, or the wrong security controls, and to spend too much money in the process
without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows
management the amount of resources that should be applied to protecting against those risks in a sensible
manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure would be
part of risk mitigation.
Incorrect Answers:
A: Identifying risks is part of risk analysis.
B: Quantifying the impact of potential threats is part of risk analysis.
C: Providing an economic balance between the impact of the risk and the cost of the associated
countermeasure is part of risk analysis.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 74


Leave a Reply