Effective CISSP Questions

You are identifying, analyzing, and evaluating information risk focusing on the likelihood and impact of threats. Which of the following is the last tool or technique you may use in the process? (Wentz QOTD)
A. Risk heat map
B. Asset valuation
C. Benefits analysis
D. Risk exposure determination

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Risk heat map.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

ISO 31000
ISO 31000

What does “risk assessment/analysis” mean?

Please be noted that in the CISSP exam outline, OSG, and NIST, risk assessment and risk analysis are treated as synonyms and often expressed as “risk assessment/analysis.”

Identifying, analyzing, and evaluating information risk implies the use of ISO standards for risk management, such as ISO 31000 or ISO 27005, and you are in the process of risk assessment. A risk heat map is a common tool to express the results of risk assessment.

  • Assets valuation may be used in the process of risk analysis when estimating the impact, e.g., the single loss expectancy (SLE) = asset value (AV) x exposure factor (EF).
  • Costs and benefits analysis is more often conducted in the risk treatment (instead of risk assessment) process to justify the risk treatment options (ISO term) or risk response strategies (PMI term).
  • Risk exposure determination is the conclusion of risk analysis. Risk exposure is a function of likelihodd, impact, and other factors.

Risk Heat Map

Source: Babix

A risk heat map (or risk heatmap) is a graphical representation of cyber risk data where the individual values contained in a matrix are represented as colors that connote meaning. Risk heat maps are used to present cyber risk assessment results in an easy to understand, visually attractive and concise format.

Source: Babix


您正在識別、分析和評估信息風險,重點關注威脅的可能性和影響。 以下哪個是您在此過程中可能使用的最後一個工具或技術? (Wentz QOTD)
A. 風險熱度地圖 (risk heat map)
B. 資產評價 (valuation)
C. 效益分析 (benefits analysis)
D. 風險暴露確定

Leave a Reply