According to NIST SP 800-30 R1, risk models define the risk factors to be assessed and the relationships among those factors. Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Which risk factor is not mentioned in the NIST generic risk model? (Wentz QOTD)
A. Security posture
B. Predisposing conditions
C. Likelihood of the success of a threat event
D. Likelihood of a threat source Initiating a threat event
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Security posture.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Reference
根據 NIST SP 800-30 R1,風險模型定義了要評估的風險因素(risk factor)以及這些因素之間的關係。 風險因素是風險模型中使用的特徵,作為確定風險評估中風險水平的輸入。 NIST 通用風險模型中未提及哪個風險因素? (Wentz QOTD)
A. 安全態勢
B. 誘發條件
C. 威脅事件成功的可能性
D.威脅源發起威脅事件的可能性