Which of the following answers uses security terms "vulnerability," "threat," "risk," and "countermeasure" correctly?
A.
There can be a threat, but unless your company has the corresponding vulnerability, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.
B.
There can be a vulnerability, but unless your company has the corresponding risk, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.
C.
There can be a risk, but unless your company has the corresponding threat, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.
D.
There can be a threat, but unless your company has the corresponding vulnerability, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to increase the risk.
Explanation:
A quantitative approach employs calculations using statistics of
probabilities and ratios pertaining to the possibilities of specific threats. A
qualitative approach is more subjective using opinion polls and other subjective
means that identify the priority of threats that pose possible risks.