CompTIA Security+ (SY0-601) — Question 595

A vulnerability scan returned the following results:

2 Critical
5 High
15 Medium
98 Low

Which of the following would the information security team most likely use to decide if all discovered vulnerabilities must be addressed and the order in which they should be addressed?

Answer options

• A. Risk appetite
• B. Risk register
• C. Risk matrix
• D. Risk acceptance

Correct answer: C

Explanation

The correct answer is C, the Risk matrix, as it helps prioritize vulnerabilities based on their severity and potential impact, guiding the order of remediation. Options A (Risk appetite) and D (Risk acceptance) refer to an organization's tolerance for risk rather than prioritization of specific vulnerabilities. Option B (Risk register) is a log of identified risks but does not provide a prioritization framework.