EXIN Foundation in IT Service Management based on ISO/IEC 20000 — Question 9

A well executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives. What is not one of the four main objectives of a risk analysis?

Answer options

• A. Identifying assets and their value
• B. Determining the costs of threats
• C. Establishing a balance between the costs of an incident and the costs of a security measure
• D. Determining relevant vulnerabilities and threats

Correct answer: B

Explanation

The correct answer is B because determining the costs of threats is not a primary objective of risk analysis; rather, it focuses on identifying assets, vulnerabilities, and threats, and balancing incident costs with security measures. The other options represent critical components of the risk analysis process, emphasizing the need to understand assets, vulnerabilities, and the implications of security investments.