After a security meeting, IT leaders decided that the organization will perform a completely new
risk analysis, as the previous one was done over five years ago. The methods that will be used is
FRAP. Which of the following best describes the FRAP method of risk analysis?

A.
FRAP involves assigning team members to identify specific vulnerabilities. Once the
vulnerabilities have been identified, a level of risk is assigned, as a factor of times per year this
vulnerability may be exploited.
Finally, a dollar value in lost revenue is assigned to each asset that can be compromised by this
vulnerability.

B.
FRAP is a team method. Individuals from different aspects of an organization form a committee.
Once together, they discuss the areas of risk, the likelihood of a threat, the impact of the threat,
and the methods that should be used to minimize the threat.

C.
FRAP involves assigning dollar values to assets, and calculating how often a threat to the asset
will occur. Once determined an approximate dollar value to each asset and threat combination is
calculated.

D.
FRAP is the process of determining the likelihood of a threat as medium, high, or low. Once the
likelihood is determined the cost is identified, again as medium, high, or low. Finally, based on
cost, a response to the threat is determined.

E.
FRAP is the process of determining the likelihood of a threat as medium, high, or low. Once the
likelihood is determined, the level of damage is identified, again as high, medium, or low. Finally,
the response to the threat is determined.