Certified Information Security Manager (CISM) — Question 307

Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed as:

Answer options

• A. the likelihood of a given threat attempting to exploit a vulnerability.
• B. the magnitude of the impact, should a threat exploit a vulnerability.
• C. a function of the cost and effectiveness of controls over a vulnerability.
• D. a function of the likelihood and impact, should a threat exploit a vulnerability.

Correct answer: D

Explanation

The correct answer, D, captures the essence of risk assessment by combining both the likelihood of a threat exploiting a vulnerability and the potential impact of such an exploitation. Option A only addresses the likelihood, while B focuses solely on the impact, and C discusses controls without considering the threat-vulnerability relationship.