# CISSP PRACTICE QUESTIONS – 20191021

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. In a threat modeling meeting, the project team is analyzing and prioritizing the risks. As a security professional, which of the following is the best to prioritize risks?
A. Annual Rate of Occurrence (ARO)
B. Risk exposure
D. Estimated financial loss

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Risk exposure.

Risk exposure is a measure of risk that is evaluated by considering likelihood, consequences, and all other risk factors to rank or prioritize risks or make decisions. If the effect is evaluated with monetary value, risk exposure is an indicator of potential financial loss. A risk score is a common type of risk exposure.

Risk = Threat x Vulnerability

This formula is overly simplified and has been misunderstood for years. It is elaborated as follows:

• The Risk term in the formula should refer to “Risk Score” or “Risk Exposure.”
• The Threat term in the formula should refer to “The impact of a threat.”
• The Vulnerability term in the formula should refer to “The likelihood of the vulnerability being exploited.”
• The formula should be interpreted as “Risk Exposure is a function of the impact of a threat and the likelihood of the vulnerability being exploited.” As a result, the calculation doesn’t necessarily have to be multiplication.

# Summary

• Estimated financial loss is the consequence of risk, it’s not sufficient to express the concept of risk exposure. Given a risk with USD\$ 500 million of loss (Risk A) and the other with USD\$ 500 thousand of loss (Risk B), which has to be treated first? An informed decision can be made only if the likelihood is determined. What if the likelihood of Risk A is 0.00001%, while that of Risk B is 80%?
• Annual Rate of Occurrence (ARO) implies the likelihood only.
• Business Impact Analysis (BIA) is a process. Will you prioritize software risks based on if BIA is conducted against the risk in interest, or the result of BIA, say MTD, RTO, or RPO? BIA is a distractor in this question.