.______________ risk analysis is not always possible because the IS auditor is attempting to
calculate risk using nonquantifiable threats and potential losses. In this event, a ______________
risk assessment is more appropriate. Fill in the blanks.
A.
Quantitative; qualitative
B.
Qualitative; quantitative
C.
Residual; subjective
D.
Quantitative; subjective
Explanation:
Quantitative risk analysis is not always possible because the IS auditor is attempting to calculate risk
using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is
more appropriate.