CompTIA CASP+ (CAS-003) — Question 17

Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the results of the assessment and evaluating potential risk treatment strategies. As part of the CISO's evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing?

Answer options

• A. Documentation of lessons learned
• B. Quantitative risk assessment
• C. Qualitative assessment of risk
• D. Business impact scoring
• E. Threat modeling

Correct answer: B

Explanation

The correct answer is B, as a quantitative risk assessment involves evaluating risks using numerical values to determine potential impacts and prioritize actions. The other options do not fit the context: A focuses on documentation, C emphasizes subjective evaluations, D relates to assessing business impacts rather than risk, and E involves identifying threats rather than assessing risks quantitatively.