You’ve learned about from a CISSP study guide the formula, total risk = threats × vulnerability × asset value, and used it in your risk management program. You identified that hacktivists and script kiddies might employ SQLMap to initiate SQL injection to attack database systems through the web servers. The asset value of customer profiles classified as CONFIDENTIAL is worthy of 5 million US dollars. They are processed on the web-based CRM system that is very vulnerable because of poor design and delayed patches. You are conducting a risk assessment, which of the following is the least common and cost-ineffective expression of the total risk?
A. $7,438,399.5 (US)
B. LOW
C. 25
D. VERY HIGH

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. USD$7,438,399.5.

Risk Analysis

For any risk, its risk exposure is typically determined by analyzing the uncertainty (likelihood, possibility, or cause) and effect (impact, consequence, or ramification). The risk exposure can be presented with monetary value, score, or level (e.g., high, medium, or low), depending on the analysis approach – qualitative or quantitative.

The qualitative analysis relies on subjective intuition, experience, and judgment. Interview, Delphi method, and scenario analysis are common qualitative analysis techniques.

The quantitative analysis emphasizes objective data, facts, or evidence. Time series analysis, regression analysis, and Monte Carlo simulation are conventional quantitative analysis techniques.

Even though numbers or monetary values are more attractive to managers, the quantitative analysis relies on quality data and numeric skills and takes more time, money, and effort. As a result, pure quantitative analysis is less common than qualitative analysis.

A. USD$7,438,399.5 => Monetary number (quantitative analysis)
B. LOW => risk level/ranking
C. 25 => risk score
D. VERY HIGH => risk level/ranking

您已從CISSP研究指南中學到了”總風險=威脅×脆弱性×資產價值”的公式，並將其用於您的風險管理程序中。您發現黑客主義者和腳本小子可能使用SQLMap來發起SQL注入，以通過Web服務器攻擊數據庫系統。分類為機密的客戶資料的資產價值為500萬美元。它們在基於Web的CRM系統上進行處理，由於設計不良和補丁程序延遲，該系統非常容易受到攻擊。您正在進行風險評鑑，以下哪項是總風險中最不常見且最不具成本效益的表述？
A. USD $ 7,438,399.5
B.低
C. 25
D.非常高