Effective CISSP Questions

According to ISO 31000, the risk is the “effect of uncertainty on objectives.” Which of the following is a risk?
A. The mother nature
B. Sabotage
C. The loss of 5 million of monetary value
D. None of the above

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. None of the above.

NIST Generic Risk Model

NIST SP 800-30 R1

According to ISO 31000, a risk comprises three factors: objectives, uncertainty (likelihood), and effect (impact or consequences).

In the context of information security, the uncertainty or likelihood can be refactored into threat source, threat event, and vulnerability. The NIST generic risk model defines the risk model for information security very well.

  • The mother nature is a threat source.
  • Sabotage is a threat event.
  • The loss of 5 million of monetary value is the effect or impact irrelevant to objectives. Your personal loss of 5 million dollars in investment is not a risk to your company because it is not related to your organizational objectives.


This seems very pendantic, would you not speak about the risk of losing $5m or sabotage?

Source: @GS from

Yes, it is pedantic, but it’s my aim to promote the risk concept based on ISO 31000. As a CISSP, I buy in the cannon, to advance and protect the profession. We need more specific and consistent terminologies to communicate risk in the security community.

I would say that in this way: “the risk exposure of losing $5m because of sabotage by the crowd.” It reflects the quality of the result of risk identification.

  • Dr. David Hillson’s risk metalanguage is a good pattern to describe risk in various contexts.
  • The NIST Generic Risk Model is a good one for information security risk.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

  • It is available on Amazon.
  • Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.


Leave a Reply