Which question below is NOT accurate regarding the process of risk assessment?

A.
Risk assessment is the final result of the risk management methodology.

B.
The likelihood of a threat must be determined as an element of the risk assessment.

C.
Risk assessment is the first process in the risk management methodology

D.
The level of impact of a threat must be determined as an element of the risk assessment.

Explanation:
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential
vulnerability, and the resulting impact of that adverse event on the organization. Risk assessment is
the first process in the risk management methodology. The risk assessment process helps
organizations identify appropriate controls for reducing or eliminating risk during the risk mitigation
process. To determine the likelihood of a future adverse event, threats to an IT system must be
analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
The likelihood that a potential vulnerability could be exercised by a given threatsource can be
described as high, medium, or low. Impact refers to the magnitude of harm that could be caused by
a threat’s exploitation of a vulnerability. The determination of the level of impact produces a relative
value for the IT assets and resources affected. Source: NIST Special Publication 800-30, Risk
Management Guide for Information Technology Systems.