CompTIA CySA+ (CS0-002) — Question 155

A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to the senior management team? (Choose two.)

Answer options

• A. Probability
• B. Adversary capability
• C. Attack vector
• D. Impact
• E. Classification
• F. Indicators of compromise

Correct answer: A, D

Explanation

The correct answers, A (Probability) and D (Impact), are crucial as they quantify the likelihood of a vulnerability being exploited and the potential consequences of such exploitation, respectively. The other options, while relevant, do not directly convey the risk in terms of likelihood and consequences, making them less useful for communicating risk factors to senior management.