# CISSP PRACTICE QUESTIONS – 20200217

You’ve learned about from a CISSP study guide the formula, total risk = threats × vulnerability × asset value, and used it in your risk management program. You identified that hacktivists and script kiddies might employ SQLMap to initiate SQL injection to attack database systems through the web servers. The asset value of customer profiles classified as CONFIDENTIAL is worthy of 5 million US dollars. They are processed on the web-based CRM system that is very vulnerable because of poor design and delayed patches. You are conducting a risk assessment, which of the following is the least common and cost-ineffective expression of the total risk?
A. \$7,438,399.5 (US)
B. LOW
C. 25
D. VERY HIGH

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. USD\$7,438,399.5.

# Risk Analysis

For any risk, its risk exposure is typically determined by analyzing the uncertainty (likelihood, possibility, or cause) and effect (impact, consequence, or ramification). The risk exposure can be presented with monetary value, score, or level (e.g., high, medium, or low), depending on the analysis approach – qualitative or quantitative.

The qualitative analysis relies on subjective intuition, experience, and judgment. Interview, Delphi method, and scenario analysis are common qualitative analysis techniques.

The quantitative analysis emphasizes objective data, facts, or evidence. Time series analysis, regression analysis, and Monte Carlo simulation are conventional quantitative analysis techniques.

Even though numbers or monetary values are more attractive to managers, the quantitative analysis relies on quality data and numeric skills and takes more time, money, and effort. As a result, pure quantitative analysis is less common than qualitative analysis.

A. USD\$7,438,399.5 => Monetary number (quantitative analysis)
B. LOW => risk level/ranking
C. 25 => risk score
D. VERY HIGH => risk level/ranking

A. USD \$ 7,438,399.5
B.低
C. 25
D.非常高