Your company is considering solutions to boost sales. The head of the sales department suggests implementing the CRM system and provisioning salespeople with mobile devices and VPN connections.  The IT manager points out this solution may lead to personal data leakage and cause substantial financial loss. As a security professional, you are assessing this risk. Which of the following approach is most effective?
A. Use qualitative analysis to determine the likelihood and impact of the risk
B. Conduct quantitative analysis to determine the possibility and monetary loss of the risk
C. Determine the risk exposure and identify risk tolerance
D. Conduct business impact analysis (BIA) to determine the organization-wide impact

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Determine the risk exposure and identify risk tolerance.

After a risk is identified, it is analyzed in terms of risk factors, typically likelihood and impact, defined in the risk model to determine risk exposure (it can be expressed as monetary value, risk level, or risk score).

Risk analysis can be qualitative, quantitive, or mixed. It depends on the organizational requirements. Options A and B are acceptable, but it does not necessarily require either a qualitative or quantitive approach.

Option C is more general or neutral because it does not specify any approaches. Moreover, to identify risk tolerance determined when framing the risk context helps the upcoming risk activities.

Business impact analysis (BIA) is typically conducted at the business process level or information system level. The result of BIA contributes to, not determines, the organization-wide impact.