Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?

A.
FAP

B.
OCTAVE

C.
ANZ 4360

D.
NIST SP 800-30

Explanation:
C: While ANZ 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk
assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. ANZ 4360 can be used to understand a company’s financial, capital, human safety, and business decisions risks.
A is incorrect because there is no formal FAP risk analysis approach. It is a distracter answer.
B is incorrect because OCTAVE focuses on IT threats and information security risks. OCTAVE is meant to be used in situations where people manage and direct the risk evaluation for information security within their organization. The organization’s employees are given the power to determine the best approach for evaluating security.
D is incorrect because NIST SP 800-30 is specific to IT threats and how they relate to information security risks. It focuses mainly on systems. Data is collected from network
and security practice assessments, and from people within the organization. The data is then used as input values for the risk analysis steps outlined in the 800-30 document.