Which question below is NOT accurate regarding the process of risk
assessment?

A.
Risk assessment is the final result of the risk management
methodology.

B.
The likelihood of a threat must be determined as an element of the
risk assessment.

C.
Risk assessment is the first process in the risk management
methodology

D.
The level of impact of a threat must be determined as an element of
the risk assessment.

Explanation:
Risk is a function of the likelihood of a given threat-source’s exercising
a particular potential vulnerability, and the resulting impact of
that adverse event on the organization. Risk assessment is the first
process in the risk management methodology. The risk assessment
process helps organizations identify appropriate controls for reducing
or eliminating risk during the risk mitigation process.
To determine the likelihood of a future adverse event, threats to an
IT system must be analyzed in conjunction with the potential vulnerabilities
and the controls in place for the IT system. The likelihood
that a potential vulnerability could be exercised by a given threatsource
can be described as high, medium, or low. Impact refers to the
magnitude of harm that could be caused by a threat’s exploitation of
a vulnerability. The determination of the level of impact produces a
relative value for the IT assets and resources affected. Source: NIST
Special Publication 800-30, Risk Management Guide for Information Technology Systems.