PrepAway - Latest Free Exam Questions & Answers

Which of the following should George use to calculate the company’s residual risk?

As his company’s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?

PrepAway - Latest Free Exam Questions & Answers

A.
threats � vulnerability � asset value = residual risk

B.
SLE � frequency = ALE, which is equal to residual risk

C.
(threats � asset value � vulnerability) � control gap = residual risk

D.
(total risk – asset value) � countermeasures = residual risk

Explanation:
C: Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every
countermeasure some risk remains. The leftover risk after counter measures are implemented is called residual risk. Residual risk differs from total risk, which is the risk
companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats vulnerability asset value = total risk,
residual risk can be determined by calculating (threats vulnerability asset value) control gap = residual risk. Control gap is the amount of protection the control cannot
provide.
A is incorrect because threats vulnerability asset value does not equal residual risk. It is the equation to calculate total risk. Total risk is the risk a company faces in the
absence of any security safeguards or actions to reduce the overall risk exposure. The total risk is reduced by implementing safeguards and countermeasures, leaving the
company with residual riskor the risk left over after safeguards are implemented.
B is incorrect because SLE frequency is the equation to calculate the annualized loss expectancy (ALE) as a result of a threat exploiting a vulnerability and the business
impact. The frequency is the threat’s annual rate of occurrence (ARO). The ALE is not equal to residual risk. ALE indicates how much money a specific type of threat is likely to
cost the company over the course of a year. Knowing the real possibility of a threat and how much damage, in monetary terms, the threat can cause is important in determining
how much should be spent to try and protect against that threat in the first place.
D is incorrect and is a distracter answer. There is no such formula like this used in risk assessments. The actual equations are threats vulnerability asset value = total risk;
and (threats vulnerability asset value) control gap = residual risk.


Leave a Reply