Certified Secure Software Lifecycle Professional (CSSLP) — Question 18

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

Answer options

• A. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
• B. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
• C. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
• D. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

Correct answer: A, B

Explanation

The correct answer is A, as it accurately describes the process of quantitative risk analysis as prioritizing risks based on their likelihood and impact. Option B is incorrect because it focuses solely on high probability and impact risks without addressing the comprehensive assessment process. Option C talks about planning responses, which is not the primary focus of quantitative risk analysis. Option D, while related, does not specifically highlight the prioritization aspect that is central to quantitative risk analysis.