Which of the following is not included in a risk assessment?

A.
Discontinuing activities that introduce risk

B.
Identifying assets

C.
Identifying threats

D.
Analyzing risk in order of cost or criticality

Explanation:
A: Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging
(IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk
avoidance. Risk assessment does not include the implementation of countermeasures such as this.
B is incorrect because identifying assets is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. In order to determine the
value of assets, those assets must first be identified. Asset identification and valuation are also important tasks of risk management.
C is incorrect because identifying threats is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. Risk is present because of
the possibility of a threat exploiting a vulnerability. If there were no threats, there would be no risk. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting
business impact.
D is incorrect because analyzing risk in order of cost or criticality is part of the risk assessment process, and the question asks to identify what is not included in a risk
assessment. A risk assessment researches and quantifies the risk a company faces. Dealing with risk must be done in a cost-effective manner. Knowing the severity of the risk
allows the organization to determine how to address it effectively.