Certified in Risk and Information Systems Control (CRISC) — Question 246

The risk associated with an asset before controls are applied can be expressed as:

Answer options

• A. the likelihood of a given threat.
• B. the magnitude of an impact.
• C. a function of the likelihood and impact.
• D. a function of the cost and effectiveness of controls.

Correct answer: C

Explanation

The correct answer, C, indicates that risk is determined by both the likelihood of a threat occurring and the potential impact it may have. Option A only addresses the probability aspect, while B focuses solely on impact. Option D pertains to the effectiveness of controls, which is not relevant before any controls are applied.