Certified Information Privacy Technologist (CIPT) — Question 228

Which of the following is NOT a factor to consider in FAIR analysis?

Answer options

• A. The severity of the harm that might be caused by the privacy risk
• B. The capability of a threat actor to exploit the analyzed privacy risk
• C. The stage of the data life cycle in which the analyzed privacy risk occurs
• D. The probability that a threat actor’s attempts to exploit a privacy risk might succeed

Correct answer: C

Explanation

Option C is correct because the FAIR analysis focuses on the potential harm, threat actor capabilities, and the probability of exploitation, but does not specifically consider the stage of the data life cycle. The other options (A, B, and D) are all relevant factors that are included in the FAIR framework for assessing privacy risks.