Effective CISSP Questions

You are planning for business continuity management and accept the general assumption that risk is never reduced to zero. Which of the following statements is incorrect? (Wentz QOTD)
A. The risk refers to total risk exposure
B. The contingency reserve is a common strategy to mitigate identified risks
C. There always exists unidentified risk or black swan events
D. The outbreak of the pandemic belongs to unknown unknowns

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The outbreak of the pandemic belongs to unknown unknowns.

Pandemic is one of the most typical risks, or known unknowns, identified in the business continuity planning process. For example, Taiwan suffered from the tragedy of SARS in 2003; she improved the incident response system and revised laws and regulations to support the initiative. Most organizations didn’t fail to identify the outbreak of virus or disease but underestimated the pandemic’s likelihood and impact.


Risk is the “effect of uncertainty on objectives.” (ISO 31000) Individual risks are identified and then analyzed for risk exposure, a “product of probability times potential loss for a risk factor” (ISO 24765). Total risk exposure refers to the sum of individual risk exposure.

What is Risk?
What is Risk?

Risk Exposure

According to ISO/IEC/IEEE 24765:2017 Systems and software engineering — Vocabulary, risk exposure is commonly defined as the product of a probability and the magnitude of a consequence, that is, an expected value or expected exposure.

  1. potential loss presented to an individual, project, or organization by a risk. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
  2. function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence. (ISO/IEC 16085:2006)
  3. product of probability times potential loss for a risk factor.

Contingency Reserves and Management Reserves

There are four common risk response strategies: avoid, transfer, mitigate, and accept. Risk can be mitigated by reducing the uncertainty, effect, or both. Reserves are commonly implemented in risk response initiatives or projects.

Contingency Reserves and Management Reserves
Contingency Reserves and Management Reserves (Image Credit: Jerome Rowley)


Life is like a box of chocolates. You never know what you’re gonna get.
~ Forrest Gump

There are many things we don’t become aware of or understand.

Accural’s Matrix of Hidden Knowledge

System approaches for risk identification can identify or discover most risks but may not completely address unknown unknowns or the so-called black swan events. The following diagram demonstrates common risk identification techniques:

Risk Identification Techniques
Risk Identification Techniques



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您正在計劃進行業務連續性管理(BCM),並接受風險永遠不會降為零的一般假設。 下列哪種說法是不正確的?(Wentz QOTD)
A. 風險是指總風險敞口(total risk exposure)
B. 應變儲備金(contingent reserve)是緩解已知風險的常用戰略
C. 始終存在未知的風險或黑天鵝事件
D. 傳染病大流行的爆發屬於未知的未知數

Leave a Reply