Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompTIA Security + > Risk Management > Flashcards

Risk Management Flashcards

5.2: Explain elements of the risk management process

1
Q

A hospital uses an electronic health records (EHR) system to manage patient data. In the event of a system failure, the IT team sets a Recovery Time Objective (RTO) of 2 hours. One day, the system fails at 10:00 AM due to a hardware issue.

What action should the IT team take to meet the RTO requirement?

Options:
A. Restore the EHR system by 10:30 AM.
B. Restore the EHR system by 12:00 PM.
C. Ensure data is fully restored by the end of the day.
D. Begin repairs within 2 hours of the failure.

A

Answer and Explanation:

Correct Answer: B. Restore the EHR system by 12:00 PM.
Why it’s correct: The RTO is 2 hours, meaning the hospital cannot tolerate an EHR system outage longer than that. If the failure occurs at 10:00 AM, the system must be operational again by 12:00 PM.
Why others are incorrect:
A: Restoring by 10:30 AM exceeds the speed required by the RTO. While faster recovery is desirable, the objective allows for up to 2 hours.
C: Restoring by the end of the day (e.g., 5:00 PM) violates the RTO, leading to patient care disruptions and regulatory compliance issues.
D: Beginning repairs within 2 hours doesn’t fulfill the RTO requirement; the system must be fully operational within the 2-hour window.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An e-commerce company has an RPO of 6 hours. A ransomware attack happens at 9:00 PM, corrupting the database. The last backup was taken at 6:00 PM.

What will the company lose if the system is restored using the last backup?

Options:
A. All data entered before 6:00 PM.
B. Data entered between 6:00 PM and 9:00 PM.
C. No data, as RPO ensures no data is lost.
D. Only order-related data is lost, not customer data.

A

Answer and Explanation:

Correct Answer: B. Data entered between 6:00 PM and 9:00 PM.
Why it’s correct: The RPO is 6 hours, meaning the company can tolerate losing data created within the last 6 hours. The last backup at 6:00 PM ensures data up to that point is safe, but data created after 6:00 PM is lost.
Why others are incorrect:
A: Data before 6:00 PM is already backed up and safe.
C: RPO allows for some acceptable data loss; it doesn’t guarantee no data loss.
D: The loss is not limited to specific types of data but applies to all data generated during the unprotected window.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A manufacturing company has a critical assembly line with an MTTR of 4 hours for its conveyor belt system. One day, the conveyor belt fails at 1:00 PM.

When should the company expect production to resume based on the MTTR?

Options:
A. By 1:30 PM.
B. By 3:00 PM.
C. By 5:00 PM.
D. By the next business day.

A

Answer and Explanation:

Correct Answer: C. By 5:00 PM.
Why it’s correct: MTTR indicates the average time to repair a failed system. Since the MTTR is 4 hours and the failure occurred at 1:00 PM, production is expected to resume by 5:00 PM.
Why others are incorrect:
A: Resuming by 1:30 PM is unrealistic given the 4-hour MTTR.
B: A 3:00 PM recovery time doesn’t account for the full MTTR.
D: Waiting until the next business day exceeds the MTTR, causing unnecessary delays in production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company uses a backup power generator with an MTBF of 1,000 hours. The generator operates for 8 hours a day.

After how many days can the company expect a failure?

Options:
A. 100 days.
B. 125 days.
C. 200 days.
D. 1,000 days.

A

Answer and Explanation:

Correct Answer: B. 125 days.
Why it’s correct: The MTBF of 1,000 hours means the generator is expected to run for 1,000 hours between failures. If the generator operates 8 hours a day, divide 1,000 by 8 to get approximately 125 days.
Why others are incorrect:
A: This calculation assumes a higher daily operating time.
C: This overestimates the MTBF based on incorrect math.
D: This implies the generator operates only 1 hour a day, which is incorrect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A company experiences a database crash and has an RTO of 3 hours and an RPO of 2 hours.

Which of the following is true regarding their recovery strategy?

Options:
A. The database must be restored to its last state within 3 hours.
B. The database must be operational within 3 hours, but up to 2 hours of data can be lost.
C. The database must be restored to its exact state within 2 hours.
D. The database must be operational with no data loss within 3 hours.

A

Answer and Explanation:

Correct Answer: B. The database must be operational within 3 hours, but up to 2 hours of data can be lost.
Why it’s correct: The RTO of 3 hours sets the maximum time to restore operations, while the RPO of 2 hours defines how much data loss is acceptable. Together, the database must be running again within 3 hours, but data can be restored to a state from 2 hours before the crash.
Why others are incorrect:
A: This ignores the acceptable 2-hour data loss allowed by the RPO.
C: The RTO allows 3 hours for recovery, not 2 hours.
D: RPO allows for 2 hours of data loss, so zero data loss is not required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company stores sensitive customer data on a server valued at $50,000. A risk assessment reveals that a ransomware attack could render 60% of the server’s value unusable. What is the Single Loss Expectancy (SLE) for this risk?

A. $20,000
B. $30,000
C. $50,000
D. $10,000

A

Correct Answer: B. $30,000

Explanation of Each Option:

A. $20,000: Incorrect. This assumes an incorrect Exposure Factor. The EF is 60%, not 40%.
B. $30,000: Correct. The formula for SLE is:
𝑆𝐿𝐸= AssetValue × ExposureFactor(EF)
Substituting the values:
𝑆𝐿𝐸= 50,000 × 0.60= 30,000
SLE=50,000×0.60=30,000
C. $50,000: Incorrect. This assumes 100% of the asset is lost, which is not the case here.
D. $10,000: Incorrect. This assumes a much lower Exposure Factor, which was not given.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company estimates that phishing attacks targeting its employees occur 5 times per year. What is the ARO for phishing attacks?

A. 1.0
B. 0.2
C. 5.0
D. 0.5

A

Correct Answer: C. 5.0

Explanation of Each Option:

A. 1.0: Incorrect. This assumes the attack occurs only once a year.
B. 0.2: Incorrect. This assumes the attack occurs once every 5 years, which is not the case.
C. 5.0: Correct. ARO represents the number of times a threat is expected to occur annually. Since phishing occurs 5 times per year, the ARO is 5.0.
D. 0.5: Incorrect. This assumes the attack occurs once every 2 years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An organization identifies that a power outage may cause $40,000 in damages during each occurrence. Historical data indicates that this outage happens twice a year. What is the ALE for power outages?

A. $20,000
B. $40,000
C. $80,000
D. $100,000

A

Correct Answer: C. $80,000

Explanation of Each Option:

A. $20,000: Incorrect. This underestimates the ARO, assuming it is 0.5 instead of 2.0.
B. $40,000: Incorrect. This assumes the outage occurs only once a year.
C. $80,000: Correct. The formula for ALE is:
𝐴𝐿𝐸 = SLE × ARO
Substituting the values:
ALE=40,000×2=80,000
D. $100,000: Incorrect. This overestimates the damages per occurrence or the frequency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A company has identified a potential fire hazard in its data center. If a fire occurs, it is estimated that 40% of the data center’s assets would be destroyed. What is the Exposure Factor (EF) for this risk?

A. 100%
B. 60%
C. 40%
D. 0%

A

Correct Answer: C. 40%

Explanation of Each Option:

A. 100%: Incorrect. This assumes total destruction of assets, which is not the scenario here.
B. 60%: Incorrect. This is higher than the stated value of 40%.
C. 40%: Correct. The EF represents the proportion of an asset expected to be lost in an event. In this case, the EF is explicitly stated as 40%.
D. 0%: Incorrect. This assumes no loss, which contradicts the scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A company’s critical server experiences downtime due to hardware failure. The team logs the following data:

Time to repair failures: 2 hours on average.
Time between failures: 500 hours on average.
Which of the following statements is true?

A. MTTR = 500 hours, MTBF = 2 hours
B. MTTR = 2 hours, MTBF = 500 hours
C. MTTR = 2 hours, MTBF = 250 hours
D. MTTR = 500 hours, MTBF = 250 hours

A

Correct Answer: B. MTTR = 2 hours, MTBF = 500 hours

Explanation of Each Option:

A. MTTR = 500 hours, MTBF = 2 hours: Incorrect. MTTR represents repair time, which is clearly stated as 2 hours.
B. MTTR = 2 hours, MTBF = 500 hours: Correct. MTTR is the average repair time (2 hours), and MTBF is the average time between failures (500 hours).
C. MTTR = 2 hours, MTBF = 250 hours: Incorrect. This miscalculates the MTBF.
D. MTTR = 500 hours, MTBF = 250 hours: Incorrect. Both MTTR and MTBF values are swapped and miscalculated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Asset Value = $80,000
EF = 25%
Threat occurs twice a year (ARO = 2)
What is the ALE?

Options:

A. $10,000
B. $20,000
C. $40,000
D. $50,000

A

Answer and Explanation
To calculate the ALE, follow these steps:

Calculate SLE (Single Loss Expectancy):

SLE=AssetValue×EF
Substitute the values:
SLE=80,000×0.25=20,000
Calculate ALE (Annualized Loss Expectancy):
ARO
ALE=SLE×ARO
Substitute the values:

ALE=20,000×2=40,000
Correct Answer: C. $40,000

Explanation of Incorrect Options:
A. $10,000: Incorrect. This assumes a much lower EF or ARO than stated in the scenario.
B. $20,000: Incorrect. This is the SLE value, not the ALE. ALE factors in the ARO as well.
D. $50,000: Incorrect. This overestimates the ALE by assuming incorrect values for EF or ARO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A small software startup is required to comply with data encryption standards as part of industry regulations. However, due to its small size and limited resources, the regulatory body grants it permission to operate without implementing these encryption standards indefinitely.

What type of risk acceptance does this represent?

Options:

A. Exception
B. Exemption
C. Waiver
D. Deviation

A

Correct Answer: B. Exemption

Explanation:

A. Exception: Incorrect. An exception is temporary and applies under specific conditions. In this case, the startup is permanently allowed to avoid encryption standards, making it an exemption.
B. Exemption: Correct. The startup is excluded entirely from the encryption requirements due to its unique circumstances. This aligns with the definition of an exemption.
C. Waiver: Incorrect. A waiver typically involves permission to bypass a rule but often requires a specific justification and is often temporary.
D. Deviation: Incorrect. A deviation suggests a slight alteration to compliance, but the startup is completely exempt, not partially complying.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A hospital is required by regulation to conduct fire drills every quarter. Due to an ongoing construction project, the hospital requests permission to skip the drill for one quarter, provided it enhances fire safety signage during the construction period.

What type of risk acceptance does this represent?

Options:

A. Exemption
B. Exception
C. Noncompliance
D. Exclusion

A

Correct Answer: B. Exception

Explanation:

A. Exemption: Incorrect. An exemption is a permanent or semi-permanent removal from a requirement, but in this case, the hospital’s situation is temporary.
B. Exception: Correct. The hospital is allowed to temporarily avoid the requirement (fire drills) under specific conditions (enhanced safety signage). This is the hallmark of an exception.
C. Noncompliance: Incorrect. Noncompliance means ignoring the rule entirely without permission, which is not the case here since the hospital received permission to bypass the requirement.
D. Exclusion: Incorrect. Exclusion is not a recognized term in this context and does not fit the scenario.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A nonprofit organization receives an exemption from health and safety inspections due to its status as a volunteer-only organization operating from a residential property. What is the primary risk this organization assumes by not adhering to the inspection requirement?

Options:

A. Legal penalties for noncompliance
B. Increased liability in case of accidents
C. Temporary inability to operate
D. Higher inspection costs in the future

A

Here are some scenario-based practice questions to help reinforce the understanding of exemptions and exceptions:

Question 1: Identifying Exemption vs. Exception
Scenario:
A small software startup is required to comply with data encryption standards as part of industry regulations. However, due to its small size and limited resources, the regulatory body grants it permission to operate without implementing these encryption standards indefinitely.

What type of risk acceptance does this represent?

Options:

A. Exception
B. Exemption
C. Waiver
D. Deviation
Correct Answer: B. Exemption

Explanation:

A. Exception: Incorrect. An exception is temporary and applies under specific conditions. In this case, the startup is permanently allowed to avoid encryption standards, making it an exemption.
B. Exemption: Correct. The startup is excluded entirely from the encryption requirements due to its unique circumstances. This aligns with the definition of an exemption.
C. Waiver: Incorrect. A waiver typically involves permission to bypass a rule but often requires a specific justification and is often temporary.
D. Deviation: Incorrect. A deviation suggests a slight alteration to compliance, but the startup is completely exempt, not partially complying.
Question 2: Temporary Avoidance of Compliance
Scenario:
A hospital is required by regulation to conduct fire drills every quarter. Due to an ongoing construction project, the hospital requests permission to skip the drill for one quarter, provided it enhances fire safety signage during the construction period.

What type of risk acceptance does this represent?

Options:

A. Exemption
B. Exception
C. Noncompliance
D. Exclusion
Correct Answer: B. Exception

Explanation:

A. Exemption: Incorrect. An exemption is a permanent or semi-permanent removal from a requirement, but in this case, the hospital’s situation is temporary.
B. Exception: Correct. The hospital is allowed to temporarily avoid the requirement (fire drills) under specific conditions (enhanced safety signage). This is the hallmark of an exception.
C. Noncompliance: Incorrect. Noncompliance means ignoring the rule entirely without permission, which is not the case here since the hospital received permission to bypass the requirement.
D. Exclusion: Incorrect. Exclusion is not a recognized term in this context and does not fit the scenario.
Question 3: Exemption Risks
Scenario:
A nonprofit organization receives an exemption from health and safety inspections due to its status as a volunteer-only organization operating from a residential property. What is the primary risk this organization assumes by not adhering to the inspection requirement?

Options:

A. Legal penalties for noncompliance
B. Increased liability in case of accidents
C. Temporary inability to operate
D. Higher inspection costs in the future
Correct Answer: B. Increased liability in case of accidents

Explanation:

A. Legal penalties for noncompliance: Incorrect. The organization is exempt, meaning it has legal permission to avoid inspections and will not face penalties.
B. Increased liability in case of accidents: Correct. By not undergoing regular inspections, the organization assumes the risk of undetected hazards, which could lead to accidents and liability issues.
C. Temporary inability to operate: Incorrect. This applies more to exceptions where an organization might need temporary measures to continue operations.
D. Higher inspection costs in the future: Incorrect. Since the organization is exempt, it does not anticipate future inspections or their associated costs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A financial institution is required to meet a strict encryption standard for customer data. However, it requests an exception to use a lower encryption standard for six months while upgrading its systems. During this time, it agrees to limit customer data storage to offline systems only.

What condition is the financial institution adhering to as part of this exception?

Options:

A. Noncompliance
B. Mitigation measure
C. Full compliance
D. Exemption

A

Correct Answer: B. Mitigation measure

Explanation:

A. Noncompliance: Incorrect. The institution is not ignoring the rule entirely; it has requested permission to avoid full compliance temporarily.
B. Mitigation measure: Correct. The condition of limiting data storage to offline systems is a mitigation measure designed to reduce risk during the exception period.
C. Full compliance: Incorrect. The institution is not fully compliant with the rule since it is using a lower encryption standard.
D. Exemption: Incorrect. This is not an exemption because the institution’s avoidance of compliance is temporary and conditional.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A university is required to submit annual energy efficiency reports. Due to its status as a historical building, it is permanently excused from adhering to the energy efficiency requirements.

What type of risk acceptance does this represent?

Options:

A. Exception
B. Exemption
C. Risk transfer
D. Noncompliance

A

Correct Answer: B. Exemption

Explanation:

A. Exception: Incorrect. An exception is temporary and tied to specific conditions, but this scenario describes a permanent removal from the requirement.
B. Exemption: Correct. The university is completely excluded from the requirement because of its unique status as a historical building.
C. Risk transfer: Incorrect. Risk transfer would involve passing the risk to another party, such as an insurance company, which is not mentioned here.
D. Noncompliance: Incorrect. The university has legal permission to avoid the rule, so this is not noncompliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the four main types of risk assessment frequencies? (Choose Four)
A. Ad-Hoc
B. Recurring
C. One-Time
D. Continuous
E. Periodic

A

Answer:
A, B, C, D

Explanation:

Correct Options:

A. Ad-Hoc: Conducted as needed, often in response to specific events or situations.

B. Recurring: Conducted at regular intervals (e.g., annually, quarterly, monthly).

C. One-Time: Conducted for specific projects or initiatives and not repeated.

D. Continuous: Involves ongoing monitoring and evaluation of risks, often enabled by technology.

Incorrect Option:

E. Periodic: This is not a recognized type of risk assessment frequency. “Periodic” is often confused with “Recurring,” but it is not a formal category.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which type of risk assessment is conducted in response to specific events or situations, such as launching a new product or responding to a natural disaster?
A. Recurring
B. Ad-Hoc
C. One-Time
D. Continuous

A

Answer:
B. Ad-Hoc

Explanation:

Correct Option:

B. Ad-Hoc: Ad-Hoc risk assessments are conducted as needed, often in response to specific events or situations that introduce new risks or change existing risks.

Incorrect Options:

A. Recurring: These are conducted at regular intervals, not in response to specific events.

C. One-Time: These are associated with specific projects or initiatives, not situational events.

D. Continuous: These involve ongoing monitoring, not event-driven assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following are examples of recurring risk assessments? (Choose Two)
A. Annual financial risk reviews
B. Penetration testing conducted monthly
C. Risk assessment for a new IT system implementation
D. Real-time monitoring of cybersecurity threats

A

Answer:
A, B

Explanation:

Correct Options:

A. Annual financial risk reviews: These are conducted at regular intervals (annually) as part of standard operating procedures.

B. Penetration testing conducted monthly: This is a recurring assessment to identify vulnerabilities regularly.

Incorrect Options:

C. Risk assessment for a new IT system implementation: This is a one-time assessment, not recurring.

D. Real-time monitoring of cybersecurity threats: This is an example of continuous risk assessment, not recurring.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the key difference between ad-hoc and one-time risk assessments?
A. Ad-hoc assessments are repeated, while one-time assessments are not.
B. Ad-hoc assessments are conducted at regular intervals, while one-time assessments are not.
C. Ad-hoc assessments are enabled by technology, while one-time assessments are manual.
D. Ad-hoc assessments are associated with specific projects, while one-time assessments are event-driven.

A

Answer:
A. Ad-hoc assessments are repeated, while one-time assessments are not.

Explanation:

Correct Option:

A. Ad-hoc assessments are repeated, while one-time assessments are not: Ad-hoc assessments are conducted as needed and may be repeated if similar circumstances arise. One-time assessments are tied to specific projects or initiatives and are not repeated.

Incorrect Options:

B. Ad-hoc assessments are conducted at regular intervals, while one-time assessments are not: This describes recurring assessments, not ad-hoc.

C. Ad-hoc assessments are enabled by technology, while one-time assessments are manual: This describes continuous assessments, not ad-hoc or one-time.

D. Ad-hoc assessments are associated with specific projects, while one-time assessments are event-driven: This is the opposite of the correct distinction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which type of risk assessment involves ongoing monitoring and evaluation of risks, often enabled by technology?
A. Ad-Hoc
B. Recurring
C. One-Time
D. Continuous

A

Answer:
D. Continuous

Explanation:

Correct Option:

D. Continuous: Continuous risk assessments involve real-time data collection and analysis, enabling proactive threat and vulnerability monitoring.

Incorrect Options:

A. Ad-Hoc: These are event-driven and not ongoing.

B. Recurring: These are conducted at regular intervals but are not continuous.

C. One-Time: These are tied to specific projects and are not ongoing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following scenarios would most likely require a one-time risk assessment? (Choose Two)
A. Implementing a new IT system
B. Responding to a natural disaster
C. Conducting annual financial audits
D. Planning a major organizational change

A

Answer:
A, D

Explanation:

Correct Options:

A. Implementing a new IT system: This is a specific project that would require a one-time risk assessment.

D. Planning a major organizational change: This is also a specific initiative that would require a one-time assessment.

Incorrect Options:

B. Responding to a natural disaster: This would require an ad-hoc risk assessment, not a one-time assessment.

C. Conducting annual financial audits: This is an example of a recurring risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the primary purpose of recurring risk assessments?
A. To respond to specific events or situations
B. To ensure continual identification and management of risks
C. To address risks associated with specific projects
D. To enable real-time monitoring of threats

A

Answer:
B. To ensure continual identification and management of risks

Explanation:

Correct Option:

B. To ensure continual identification and management of risks: Recurring assessments are conducted at regular intervals to maintain ongoing risk management.

Incorrect Options:

A. To respond to specific events or situations: This describes ad-hoc assessments.

C. To address risks associated with specific projects: This describes one-time assessments.

D. To enable real-time monitoring of threats: This describes continuous assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is an example of continuous risk assessment?
A. Annual penetration testing
B. Real-time monitoring of cybersecurity threats
C. Risk assessment for a new market entry
D. Quarterly financial risk reviews

A

Answer:
B. Real-time monitoring of cybersecurity threats

Explanation:

Correct Option:

B. Real-time monitoring of cybersecurity threats: This involves ongoing monitoring and evaluation, which is the hallmark of continuous risk assessments.

Incorrect Options:

A. Annual penetration testing: This is a recurring assessment, not continuous.

C. Risk assessment for a new market entry: This is an ad-hoc or one-time assessment.

D. Quarterly financial risk reviews: This is a recurring assessment, not continuous.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the primary purpose of risk identification in the risk management process?
A. To prioritize risks based on their likelihood
B. To recognize potential risks that could negatively impact an organization
C. To implement risk mitigation strategies
D. To calculate the mean time between failures (MTBF)

A

Answer:
B. To recognize potential risks that could negatively impact an organization

Explanation:

Correct Option:

B. To recognize potential risks that could negatively impact an organization: Risk identification is the first step in the risk management process, focusing on identifying potential threats and vulnerabilities.

Incorrect Options:

A. To prioritize risks based on their likelihood: This occurs after risks are identified and analyzed.

C. To implement risk mitigation strategies: This is a later step in the risk management process.

D. To calculate the mean time between failures (MTBF): This is a specific metric used in business impact analysis, not risk identification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following are techniques used in risk identification? (Choose Three)
A. Brainstorming
B. Recovery Time Objective (RTO) calculation
C. Checklists
D. Scenario Analysis
E. Mean Time to Repair (MTTR) calculation

A

Answer:
A, C, D

Explanation:

Correct Options:

A. Brainstorming: A collaborative technique to generate ideas about potential risks.

C. Checklists: A structured approach to ensure all possible risks are considered.

D. Scenario Analysis: A method to evaluate risks by simulating different scenarios.

Incorrect Options:

B. Recovery Time Objective (RTO) calculation: This is a metric used in business impact analysis, not a risk identification technique.

E. Mean Time to Repair (MTTR) calculation: This is also a metric used in business impact analysis, not a risk identification technique.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following are key metrics used in a Business Impact Analysis (BIA)? (Choose Four)
A. Recovery Time Objective (RTO)
B. Recovery Point Objective (RPO)
C. Mean Time to Repair (MTTR)
D. Mean Time Between Failures (MTBF)
E. Risk Likelihood

A

Answer:
A, B, C, D

Explanation:

Correct Options:

A. Recovery Time Objective (RTO): The maximum acceptable time to restore a business process after a disruption.

B. Recovery Point Objective (RPO): The maximum acceptable amount of data loss measured in time.

C. Mean Time to Repair (MTTR): The average time required to repair a failed component or system.

D. Mean Time Between Failures (MTBF): The average time between system or component failures.

Incorrect Option:

E. Risk Likelihood: This is part of risk analysis, not a BIA metric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What does Recovery Time Objective (RTO) represent?
A. The maximum acceptable amount of data loss measured in time
B. The average time required to repair a failed component
C. The maximum acceptable time to restore a business process after a disruption
D. The average time between system failures

A

Answer:
C. The maximum acceptable time to restore a business process after a disruption

Explanation:

Correct Option:

C. The maximum acceptable time to restore a business process after a disruption: RTO is a critical metric in disaster recovery and business continuity planning.

Incorrect Options:

A. The maximum acceptable amount of data loss measured in time: This describes Recovery Point Objective (RPO).

B. The average time required to repair a failed component: This describes Mean Time to Repair (MTTR).

D. The average time between system failures: This describes Mean Time Between Failures (MTBF).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following scenarios best illustrates Recovery Point Objective (RPO)?
A. A company determines it can tolerate up to 2 hours of downtime for its e-commerce website.
B. A financial institution backs up transactional data every 15 minutes to minimize data loss.
C. A manufacturing company repairs a critical machine in an average of 4 hours.
D. A server fails once every 72 days on average.

A

Answer:
B. A financial institution backs up transactional data every 15 minutes to minimize data loss.

Explanation:

Correct Option:

B. A financial institution backs up transactional data every 15 minutes to minimize data loss: This aligns with RPO, which measures the maximum acceptable data loss in time.

Incorrect Options:

A. A company determines it can tolerate up to 2 hours of downtime for its e-commerce website: This describes Recovery Time Objective (RTO).

C. A manufacturing company repairs a critical machine in an average of 4 hours: This describes Mean Time to Repair (MTTR).

D. A server fails once every 72 days on average: This describes Mean Time Between Failures (MTBF).

30
Q

What is the difference between Mean Time to Repair (MTTR) and Mean Time Between Failures (MTBF)?
A. MTTR measures the average time to repair a system, while MTBF measures the average time between failures.
B. MTTR measures the maximum acceptable downtime, while MTBF measures the maximum acceptable data loss.
C. MTTR measures the reliability of a system, while MTBF measures the speed of repairs.
D. MTTR and MTBF are interchangeable terms.

A

Answer:
A. MTTR measures the average time to repair a system, while MTBF measures the average time between failures.

Explanation:

Correct Option:

A. MTTR measures the average time to repair a system, while MTBF measures the average time between failures: MTTR focuses on repair speed, while MTBF focuses on system reliability.

Incorrect Options:

B. MTTR measures the maximum acceptable downtime, while MTBF measures the maximum acceptable data loss: This is incorrect; these concepts relate to RTO and RPO, not MTTR and MTBF.

C. MTTR measures the reliability of a system, while MTBF measures the speed of repairs: This is the opposite of the correct definitions.

D. MTTR and MTBF are interchangeable terms: This is incorrect; they measure different aspects of system performance.

31
Q

Which of the following are examples of risks that should be identified during risk identification? (Choose Three)
A. Financial risks
B. Recovery Time Objective (RTO)
C. Operational risks
D. Reputational risks
E. Mean Time Between Failures (MTBF)

A

Answer:
A, C, D

Explanation:

Correct Options:

A. Financial risks: Risks related to financial stability or losses.

C. Operational risks: Risks related to day-to-day operations and processes.

D. Reputational risks: Risks related to damage to the organization’s reputation.

Incorrect Options:

B. Recovery Time Objective (RTO): This is a metric used in BIA, not a type of risk.

E. Mean Time Between Failures (MTBF): This is also a metric used in BIA, not a type of risk.

32
Q

What is the purpose of a Business Impact Analysis (BIA)?
A. To identify potential risks that could impact an organization
B. To evaluate the effects of disruptions on business functions and prioritize recovery efforts
C. To calculate the likelihood of risks occurring
D. To implement risk mitigation strategies

A

Answer:
B. To evaluate the effects of disruptions on business functions and prioritize recovery efforts

Explanation:

Correct Option:

B. To evaluate the effects of disruptions on business functions and prioritize recovery efforts: BIA helps organizations understand the impact of disruptions and plan for recovery.

Incorrect Options:

A. To identify potential risks that could impact an organization: This describes risk identification, not BIA.

C. To calculate the likelihood of risks occurring: This is part of risk analysis, not BIA.

D. To implement risk mitigation strategies: This occurs after BIA and risk analysis.

33
Q

What is the primary purpose of a risk register?
A. To calculate the financial cost of risks
B. To record details about identified risks, including their description, impact, likelihood, and mitigation actions
C. To determine the organization’s risk appetite
D. To create a heat map risk matrix

A

Answer:
B. To record details about identified risks, including their description, impact, likelihood, and mitigation actions

Explanation:

Correct Option:

B. To record details about identified risks: A risk register is a document used to track and manage risks throughout a project or business operation.

Incorrect Options:

A. To calculate the financial cost of risks: While cost is a component of the risk register, it is not its primary purpose.

C. To determine the organization’s risk appetite: Risk appetite is a separate concept that guides how risks are managed, but it is not the purpose of the risk register.

D. To create a heat map risk matrix: A risk register may resemble a heat map, but its purpose is broader and includes tracking and managing risks.

34
Q

Which of the following are key components of a risk register? (Choose Three)
A. Risk Description
B. Risk Appetite
C. Risk Impact
D. Risk Likelihood
E. Risk Tolerance

A

Answer:
A, C, D

Explanation:

Correct Options:

A. Risk Description: A clear and concise description of the risk.

C. Risk Impact: The potential consequences of the risk, rated on a scale (e.g., low, medium, high).

D. Risk Likelihood: The probability of the risk occurring, rated on a scale (e.g., numerical or descriptive).

Incorrect Options:

B. Risk Appetite: This is a separate concept that guides how risks are managed but is not a component of the risk register.

E. Risk Tolerance: This is also a separate concept that defines the maximum amount of risk an organization is willing to accept.

35
Q

What is the difference between risk appetite and risk tolerance?
A. Risk appetite defines the types of risks an organization is willing to take, while risk tolerance defines the maximum amount of risk it can handle.
B. Risk appetite is the likelihood of a risk occurring, while risk tolerance is the impact of the risk.
C. Risk appetite is a component of the risk register, while risk tolerance is not.
D. Risk appetite and risk tolerance are interchangeable terms.

A

Answer:
A. Risk appetite defines the types of risks an organization is willing to take, while risk tolerance defines the maximum amount of risk it can handle.

Explanation:

Correct Option:

A. Risk appetite defines the types of risks an organization is willing to take, while risk tolerance defines the maximum amount of risk it can handle: Risk appetite reflects the organization’s approach to risk-taking, while risk tolerance specifies the level of risk it is willing to accept.

Incorrect Options:

B. Risk appetite is the likelihood of a risk occurring, while risk tolerance is the impact of the risk: This is incorrect; likelihood and impact are separate concepts related to risk analysis.

C. Risk appetite is a component of the risk register, while risk tolerance is not: Neither is a component of the risk register; they guide how risks are managed.

D. Risk appetite and risk tolerance are interchangeable terms: This is incorrect; they have distinct meanings.

36
Q

Which of the following are types of risk appetite? (Choose Three)
A. Expansionary
B. Conservative
C. Neutral
D. High Tolerance
E. Low Impact

A

Answer:
A, B, C

Explanation:

Correct Options:

A. Expansionary: Indicates a willingness to take on more risk for higher returns.

B. Conservative: Indicates a preference for taking less risk, even if it means lower returns.

C. Neutral: Indicates a balance between risk and return.

Incorrect Options:

D. High Tolerance: This is not a type of risk appetite; it relates to risk tolerance.

E. Low Impact: This is not a type of risk appetite; it relates to risk impact.

37
Q

What is the role of a risk owner in the risk register?
A. To calculate the cost of risks
B. To monitor risks, implement mitigation actions, and update the risk register
C. To determine the organization’s risk appetite
D. To create key risk indicators (KRIs)

A

Answer:
B. To monitor risks, implement mitigation actions, and update the risk register

Explanation:

Correct Option:

B. To monitor risks, implement mitigation actions, and update the risk register: The risk owner is responsible for managing specific risks and ensuring they are addressed effectively.

Incorrect Options:

A. To calculate the cost of risks: This is part of risk analysis but not the primary role of the risk owner.

C. To determine the organization’s risk appetite: This is a strategic decision made by leadership, not the risk owner.

D. To create key risk indicators (KRIs): KRIs are typically developed by risk management teams, not the risk owner.

38
Q

What are Key Risk Indicators (KRIs)?
A. Metrics used to measure the financial cost of risks
B. Predictive metrics that provide early warning of increasing risk exposure
C. A component of the risk register used to describe risks
D. The maximum amount of risk an organization is willing to accept

A

Answer:
B. Predictive metrics that provide early warning of increasing risk exposure

Explanation:

Correct Option:

B. Predictive metrics that provide early warning of increasing risk exposure: KRIs are used to monitor changes in risk levels and take proactive steps to manage risks.

Incorrect Options:

A. Metrics used to measure the financial cost of risks: This describes cost analysis, not KRIs.

C. A component of the risk register used to describe risks: This describes the risk description, not KRIs.

D. The maximum amount of risk an organization is willing to accept: This describes risk tolerance, not KRIs.

39
Q

Which of the following is an example of a Key Risk Indicator (KRI)?
A. The number of loan defaults in a banking institution
B. The cost of repairing a failed machine
C. The likelihood of a natural disaster occurring
D. The risk appetite of an organization

A

Answer:
A. The number of loan defaults in a banking institution

Explanation:

Correct Option:

A. The number of loan defaults in a banking institution: This is a predictive metric that signals increasing risk exposure, making it a KRI.

Incorrect Options:

B. The cost of repairing a failed machine: This is a financial impact, not a KRI.

C. The likelihood of a natural disaster occurring: This is part of risk analysis, not a KRI.

D. The risk appetite of an organization: This is a strategic concept, not a KRI.

40
Q

How is the risk level or threshold determined in a risk register?
A. By calculating the financial cost of the risk
B. By combining the risk impact and likelihood
C. By identifying the risk owner
D. By determining the organization’s risk appetite

A

Answer:
B. By combining the risk impact and likelihood

Explanation:

Correct Option:

B. By combining the risk impact and likelihood: The risk level is determined by assessing both the potential consequences (impact) and the probability (likelihood) of the risk occurring.

Incorrect Options:

A. By calculating the financial cost of the risk: This is a separate component of the risk register.

C. By identifying the risk owner: This is unrelated to determining the risk level.

D. By determining the organization’s risk appetite: This guides how risks are managed but does not determine the risk level.

41
Q

What is qualitative risk analysis?
A. A method of assessing risk using numerical data and statistical models
B. A method of assessing risk based on potential impact and likelihood, categorized as high, medium, or low
C. A process of calculating the financial cost of risks
D. A tool for creating risk registers

A

Answer:
B. A method of assessing risk based on potential impact and likelihood, categorized as high, medium, or low

Explanation:

Correct Option:

B. A method of assessing risk based on potential impact and likelihood: Qualitative risk analysis focuses on subjective evaluation of risks using categories like high, medium, or low.

Incorrect Options:

A. A method of assessing risk using numerical data and statistical models: This describes quantitative risk analysis, not qualitative.

C. A process of calculating the financial cost of risks: This is part of risk analysis but not the primary focus of qualitative risk analysis.

D. A tool for creating risk registers: A risk register is a separate tool used to document risks, not a method of analysis.

42
Q

Which of the following are key components of qualitative risk analysis? (Choose Two)
A. Likelihood/Probability
B. Financial Cost
C. Impact
D. Risk Appetite

A

Answer:
A, C

Explanation:

Correct Options:

A. Likelihood/Probability: The chance of a risk occurring, expressed qualitatively (e.g., low, medium, high).

C. Impact: The potential consequences of a risk, also expressed qualitatively (e.g., low, medium, high).

Incorrect Options:

B. Financial Cost: This is part of risk analysis but not a key component of qualitative risk analysis.

D. Risk Appetite: This guides how risks are managed but is not a component of qualitative risk analysis.

43
Q

How is the likelihood of a risk typically expressed in qualitative risk analysis?
A. As a numerical probability (e.g., 10%, 50%, 90%)
B. As a financial cost (e.g., 10,000, 50,000, $100,000)
C. Qualitatively as low, medium, or high
D. As a percentage of project completion

A

Answer:
C. Qualitatively as low, medium, or high

Explanation:

Correct Option:

C. Qualitatively as low, medium, or high: Likelihood in qualitative risk analysis is expressed in subjective terms rather than numerical values.

Incorrect Options:

A. As a numerical probability: This is used in quantitative risk analysis, not qualitative.

B. As a financial cost: This is unrelated to likelihood.

D. As a percentage of project completion: This is unrelated to risk likelihood.

44
Q

What does “impact” refer to in qualitative risk analysis?
A. The financial cost of mitigating a risk
B. The potential consequences of a risk if it occurs
C. The likelihood of a risk occurring
D. The time required to complete a project

A

Answer:
B. The potential consequences of a risk if it occurs

Explanation:

Correct Option:

B. The potential consequences of a risk if it occurs: Impact refers to the damage or loss that could result from a risk, such as cost overruns, delays, or quality issues.

Incorrect Options:

A. The financial cost of mitigating a risk: This is part of risk management but not the definition of impact.

C. The likelihood of a risk occurring: This is a separate component of risk analysis.

D. The time required to complete a project: This is unrelated to the concept of impact.

45
Q

Which of the following are examples of qualitative risk analysis in practice? (Choose Two)
A. Assessing the likelihood of a key team member leaving as “medium” and the impact as “high”
B. Calculating the probability of a risk occurring as 75%
C. Rating the impact of a material delivery delay as “high” due to potential cost overruns
D. Using statistical models to predict the financial cost of a risk

A

Answer:
A, C

Explanation:

Correct Options:

A. Assessing the likelihood of a key team member leaving as “medium” and the impact as “high”: This is an example of qualitative risk analysis, as it uses subjective categories (medium, high).

C. Rating the impact of a material delivery delay as “high” due to potential cost overruns: This is also qualitative, as it uses subjective terms to describe impact.

Incorrect Options:

B. Calculating the probability of a risk occurring as 75%: This is quantitative risk analysis, not qualitative.

D. Using statistical models to predict the financial cost of a risk: This is also quantitative risk analysis.

46
Q

What is the difference between low, medium, and high impact in qualitative risk analysis?
A. Low impact means major damage, medium impact means significant damage, and high impact means minor damage.
B. Low impact means minor damage, medium impact means significant damage, and high impact means major damage.
C. Low impact means no damage, medium impact means minor damage, and high impact means significant damage.
D. Low, medium, and high impact are interchangeable terms.

A

Answer:
B. Low impact means minor damage, medium impact means significant damage, and high impact means major damage.

Explanation:

Correct Option:

B. Low impact means minor damage, medium impact means significant damage, and high impact means major damage: This is the correct definition of impact levels in qualitative risk analysis.

Incorrect Options:

A. Low impact means major damage, medium impact means significant damage, and high impact means minor damage: This is the opposite of the correct definition.

C. Low impact means no damage, medium impact means minor damage, and high impact means significant damage: This is incorrect; low impact does not mean “no damage.”

D. Low, medium, and high impact are interchangeable terms: This is incorrect; they have distinct meanings.

47
Q

Which of the following factors are considered when assessing the likelihood of a risk in qualitative risk analysis? (Choose Two)
A. Past experience
B. Financial cost
C. Expert judgment
D. Project completion time

A

Answer:
A, C

Explanation:

Correct Options:

A. Past experience: Historical data and past events can help assess the likelihood of a risk.

C. Expert judgment: Input from experienced team members or stakeholders is often used to evaluate risk likelihood.

Incorrect Options:

B. Financial cost: This is unrelated to assessing likelihood.

D. Project completion time: This is unrelated to assessing likelihood.

48
Q

In a software development project, the departure of a key team member is assessed as having a “medium” likelihood and a “high” impact. What does this mean?
A. The risk is unlikely to occur, but if it does, the consequences will be minor.
B. The risk has a moderate chance of occurring, and if it does, the consequences will be severe.
C. The risk is almost certain to occur, but the consequences will be minimal.
D. The risk has a low chance of occurring, and the consequences will be moderate.

A

Answer:
B. The risk has a moderate chance of occurring, and if it does, the consequences will be severe.

Explanation:

Correct Option:

B. The risk has a moderate chance of occurring, and if it does, the consequences will be severe: “Medium” likelihood means a moderate chance, and “high” impact means severe consequences.

Incorrect Options:

A. The risk is unlikely to occur, but if it does, the consequences will be minor: This describes a low likelihood and low impact.

C. The risk is almost certain to occur, but the consequences will be minimal: This describes a high likelihood and low impact.

D. The risk has a low chance of occurring, and the consequences will be moderate: This describes a low likelihood and medium impact.

49
Q

What is the primary purpose of quantitative risk analysis?
A. To provide a subjective evaluation of risks using categories like high, medium, or low
B. To provide a numerical and objective evaluation of risks using measurable data
C. To identify risks without assigning any values to them
D. To create a risk register for tracking risks

A

Answer:
B. To provide a numerical and objective evaluation of risks using measurable data

Explanation:

Correct Option:

B. To provide a numerical and objective evaluation of risks: Quantitative risk analysis uses numerical measurements to assess risks, making it more precise than qualitative methods.

Incorrect Options:

A. To provide a subjective evaluation of risks using categories like high, medium, or low: This describes qualitative risk analysis, not quantitative.

C. To identify risks without assigning any values to them: This is part of risk identification, not quantitative analysis.

D. To create a risk register for tracking risks: A risk register is a separate tool used to document risks, not a method of analysis

50
Q

Which of the following are key components of quantitative risk analysis? (Choose Four)
A. Single Loss Expectancy (SLE)
B. Exposure Factor (EF)
C. Annualized Rate of Occurrence (ARO)
D. Annualized Loss Expectancy (ALE)
E. Risk Appetite

A

Answer:
A, B, C, D

Explanation:

Correct Options:

A. Single Loss Expectancy (SLE): The monetary value expected to be lost in a single event.

B. Exposure Factor (EF): The proportion of an asset lost in an event, expressed as a percentage.

C. Annualized Rate of Occurrence (ARO): The estimated frequency of a threat occurring within a year.

D. Annualized Loss Expectancy (ALE): The expected annual loss from a risk, calculated as SLE × ARO.

Incorrect Option:

E. Risk Appetite: This is a separate concept that guides how risks are managed but is not a component of quantitative risk analysis.

51
Q

How is Single Loss Expectancy (SLE) calculated?
A. SLE = Asset Value × Annualized Rate of Occurrence (ARO)
B. SLE = Asset Value × Exposure Factor (EF)
C. SLE = Annualized Loss Expectancy (ALE) × Exposure Factor (EF)
D. SLE = Annualized Loss Expectancy (ALE) ÷ Annualized Rate of Occurrence (ARO)

A

Answer:
B. SLE = Asset Value × Exposure Factor (EF)

Explanation:

Correct Option:

B. SLE = Asset Value × Exposure Factor (EF): SLE represents the monetary loss expected from a single event and is calculated by multiplying the asset value by the exposure factor.

Incorrect Options:

A. SLE = Asset Value × Annualized Rate of Occurrence (ARO): This is incorrect; ARO is used to calculate ALE, not SLE.

C. SLE = Annualized Loss Expectancy (ALE) × Exposure Factor (EF): This is incorrect; ALE is calculated using SLE, not the other way around.

D. SLE = Annualized Loss Expectancy (ALE) ÷ Annualized Rate of Occurrence (ARO): This is incorrect; SLE is calculated independently of ALE and ARO.

52
Q

What does the Exposure Factor (EF) represent in quantitative risk analysis?
A. The monetary value expected to be lost in a single event
B. The proportion of an asset lost in an event, expressed as a percentage
C. The estimated frequency of a threat occurring within a year
D. The expected annual loss from a risk

A

Answer:
B. The proportion of an asset lost in an event, expressed as a percentage

Explanation:

Correct Option:

B. The proportion of an asset lost in an event, expressed as a percentage: EF indicates the severity of asset loss, ranging from 0% (no loss) to 100% (total loss).

Incorrect Options:

A. The monetary value expected to be lost in a single event: This describes Single Loss Expectancy (SLE).

C. The estimated frequency of a threat occurring within a year: This describes Annualized Rate of Occurrence (ARO).

D. The expected annual loss from a risk: This describes Annualized Loss Expectancy (ALE).

53
Q

Which of the following scenarios best illustrates the use of Annualized Loss Expectancy (ALE)?
A. Calculating the monetary loss from a single server crash
B. Estimating the yearly financial impact of a recurring threat
C. Determining the proportion of an asset lost in an event
D. Assessing the likelihood of a risk occurring

A

Answer:
B. Estimating the yearly financial impact of a recurring threat

Explanation:

Correct Option:

B. Estimating the yearly financial impact of a recurring threat: ALE represents the expected annual loss from a risk, making it useful for evaluating recurring threats.

Incorrect Options:

A. Calculating the monetary loss from a single server crash: This describes Single Loss Expectancy (SLE).

C. Determining the proportion of an asset lost in an event: This describes Exposure Factor (EF).

D. Assessing the likelihood of a risk occurring: This describes Annualized Rate of Occurrence (ARO).

54
Q

If a server crashes once every 5 years, what is the Annualized Rate of Occurrence (ARO)?
A. 0.1
B. 0.2
C. 0.5
D. 1.0

A

Answer:
B. 0.2

Explanation:

Correct Option:

B. 0.2: ARO = 1 ÷ Number of Years = 1 ÷ 5 = 0.2.

Incorrect Options:

A. 0.1: This is incorrect; it does not match the calculation.

C. 0.5: This is incorrect; it does not match the calculation.

D. 1.0: This is incorrect; it does not match the calculation.

55
Q

If an asset is worth 50,000 and the Exposure Factor (EF) is 40% what’s the Single Loss Expectancy (SLE)?
A. $10,000
B. $20,000
C. $30,000
D. $40,000

A

Answer:
B. $20,000

Explanation:

Correct Option:

B.20,000:∗∗SLE=AssetValue×EF=50,000 × 40% = $20,000.

Incorrect Options:

A. $10,000: This is incorrect; it does not match the calculation.

C. $30,000: This is incorrect; it does not match the calculation.

D. $40,000: This is incorrect; it does not match the calculation.

56
Q

What is the Annualized Loss Expectancy (ALE) if the Single Loss Expectancy (SLE) is 10,000 and the Annualized Rate of Occurrence (ARO) is 0.2?

A. $500
B. $1,000
C. $2,000
D. $10,000

A

Answer:
C. $2,000

Explanation:

Correct Option:

**C.

2,000:∗∗ALE=SLE×ARO=10,000 × 0.2 = $2,000.

Incorrect Options:

A. $500: This is incorrect; it does not match the calculation.

B. $1,000: This is incorrect; it does not match the calculation.

D. $10,000: This is incorrect; it does not match the calculation.

57
Q

What are the four primary risk management strategies? (Choose Four)
A. Risk Transference
B. Risk Acceptance
C. Risk Avoidance
D. Risk Mitigation
E. Risk Elimination

A

Answer:
A, B, C, D

Explanation:

Correct Options:

A. Risk Transference: Shifting the risk to another party (e.g., through insurance or contracts).

B. Risk Acceptance: Acknowledging the risk and deciding to deal with it if it occurs.

C. Risk Avoidance: Changing plans or strategies to eliminate the risk entirely.

D. Risk Mitigation: Taking steps to reduce the likelihood or impact of the risk.

Incorrect Option:

E. Risk Elimination: This is not a recognized risk management strategy; risks can be avoided or mitigated but not always eliminated.

58
Q

Which of the following are examples of risk transference? (Choose Two)
A. Purchasing liability insurance for a business
B. Implementing safety training to reduce workplace accidents
C. Including an indemnity clause in a construction contract
D. Deciding not to launch a product to avoid patent infringement

A

Answer:
A, C

Explanation:

Correct Options:

A. Purchasing liability insurance for a business: This shifts the financial risk of a lawsuit to the insurance company.

C. Including an indemnity clause in a construction contract: This shifts the financial responsibility for damages to the contractor.

Incorrect Options:

B. Implementing safety training to reduce workplace accidents: This is an example of risk mitigation.

D. Deciding not to launch a product to avoid patent infringement: This is an example of risk avoidance.

59
Q

What is the key difference between risk acceptance and risk avoidance?
A. Risk acceptance involves shifting the risk to another party, while risk avoidance involves eliminating the risk entirely.
B. Risk acceptance involves acknowledging the risk and dealing with it if it occurs, while risk avoidance involves changing plans to eliminate the risk.
C. Risk acceptance involves reducing the likelihood of the risk, while risk avoidance involves reducing the impact of the risk.
D. Risk acceptance and risk avoidance are interchangeable terms.

A

Answer:
B. Risk acceptance involves acknowledging the risk and dealing with it if it occurs, while risk avoidance involves changing plans to eliminate the risk.

Explanation:

Correct Option:

B. Risk acceptance involves acknowledging the risk and dealing with it if it occurs, while risk avoidance involves changing plans to eliminate the risk: Risk acceptance means no action is taken to mitigate the risk, while risk avoidance means the risk is completely removed by altering plans.

Incorrect Options:

A. Risk acceptance involves shifting the risk to another party, while risk avoidance involves eliminating the risk entirely: This describes risk transference, not risk acceptance.

C. Risk acceptance involves reducing the likelihood of the risk, while risk avoidance involves reducing the impact of the risk: This describes risk mitigation, not risk acceptance or avoidance.

D. Risk acceptance and risk avoidance are interchangeable terms: This is incorrect; they are distinct strategies.

60
Q

Which of the following scenarios best illustrates risk mitigation?
A. A company purchases insurance to cover potential financial losses from lawsuits.
B. A manufacturing company implements safety training to reduce workplace accidents.
C. A business decides not to operate in a politically unstable country.
D. A tech company acknowledges the risk of data breaches but takes no action to address it.

A

Answer:
B. A manufacturing company implements safety training to reduce workplace accidents.

Explanation:

Correct Option:

B. A manufacturing company implements safety training to reduce workplace accidents: This is an example of reducing the likelihood of a risk (workplace accidents), which is risk mitigation.

Incorrect Options:

A. A company purchases insurance to cover potential financial losses from lawsuits: This is an example of risk transference.

C. A business decides not to operate in a politically unstable country: This is an example of risk avoidance.

D. A tech company acknowledges the risk of data breaches but takes no action to address it: This is an example of risk acceptance.

61
Q

What is the purpose of an indemnity clause in a contract?
A. To eliminate the risk entirely by changing plans or strategies
B. To shift the financial responsibility for harm, liability, or loss to another party
C. To reduce the likelihood or impact of a risk
D. To acknowledge the risk and decide to deal with it if it occurs

A

Answer:
B. To shift the financial responsibility for harm, liability, or loss to another party

Explanation:

Correct Option:

B. To shift the financial responsibility for harm, liability, or loss to another party: An indemnity clause is a contractual agreement used in risk transference.

Incorrect Options:

A. To eliminate the risk entirely by changing plans or strategies: This describes risk avoidance.

C. To reduce the likelihood or impact of a risk: This describes risk mitigation.

D. To acknowledge the risk and decide to deal with it if it occurs: This describes risk acceptance.

62
Q

Which of the following are methods of risk acceptance? (Choose Two)
A. Exemption
B. Insurance
C. Exception
D. Safety training

A

Answer:
A, C

Explanation:

Correct Options:

A. Exemption: A provision that excludes a party from a rule or requirement, meaning they accept the risk of operating without its protections.

C. Exception: A provision that allows a party to avoid a rule or requirement under specific conditions, meaning they accept the risk under certain circumstances.

Incorrect Options:

B. Insurance: This is a method of risk transference, not risk acceptance.

D. Safety training: This is a method of risk mitigation, not risk acceptance.

63
Q

When is risk avoidance typically chosen as a risk management strategy?
A. When the cost of managing the risk outweighs the potential loss
B. When the risk is too great to accept or transfer
C. When the organization wants to shift the financial burden to another party
D. When the organization decides to reduce the likelihood or impact of the risk

A

Answer:
B. When the risk is too great to accept or transfer

Explanation:

Correct Option:

B. When the risk is too great to accept or transfer: Risk avoidance is chosen when the potential impact of the risk is too severe to handle through other strategies.

Incorrect Options:

A. When the cost of managing the risk outweighs the potential loss: This describes risk acceptance.

C. When the organization wants to shift the financial burden to another party: This describes risk transference.

D. When the organization decides to reduce the likelihood or impact of the risk: This describes risk mitigation.

64
Q

Which of the following is an example of risk acceptance?
A. A company purchases cybersecurity insurance to cover potential data breaches.
B. A business decides not to launch a product to avoid patent infringement risks.
C. A financial institution acknowledges the risk of fraud but takes no action to prevent it.
D. A manufacturing company implements safety protocols to reduce workplace injuries.

A

Answer:
C. A financial institution acknowledges the risk of fraud but takes no action to prevent it.

Explanation:

Correct Option:

C. A financial institution acknowledges the risk of fraud but takes no action to prevent it: This is an example of risk acceptance, as the organization acknowledges the risk but does not mitigate it.

Incorrect Options:

A. A company purchases cybersecurity insurance to cover potential data breaches: This is an example of risk transference.

B. A business decides not to launch a product to avoid patent infringement risks: This is an example of risk avoidance.

D. A manufacturing company implements safety protocols to reduce workplace injuries: This is an example of risk mitigation.

65
Q

What is the primary purpose of risk monitoring?
A. To eliminate all risks in a project or business
B. To track identified risks, monitor residual risks, identify new risks, and evaluate risk response plans
C. To communicate risk information to stakeholders
D. To calculate the financial cost of risks

A

Answer:
B. To track identified risks, monitor residual risks, identify new risks, and evaluate risk response plans

Explanation:

Correct Option:

B. To track identified risks, monitor residual risks, identify new risks, and evaluate risk response plans: Risk monitoring is an ongoing process that ensures risks are managed effectively throughout the project lifecycle.

Incorrect Options:

A. To eliminate all risks in a project or business: Risk monitoring does not eliminate risks but helps manage them.

C. To communicate risk information to stakeholders: This describes risk reporting, not risk monitoring.

D. To calculate the financial cost of risks: This is part of risk analysis, not risk monitoring.

66
Q

Which of the following are components of risk monitoring? (Choose Three)
A. Tracking identified risks
B. Communicating risk information to stakeholders
C. Monitoring residual risks
D. Identifying new risks
E. Creating risk reports

A

Answer:
A, C, D

Explanation:

Correct Options:

A. Tracking identified risks: Monitoring involves keeping track of known risks.

C. Monitoring residual risks: Residual risks are those that remain after mitigation, transference, or acceptance.

D. Identifying new risks: New risks may emerge during the project lifecycle and must be identified.

Incorrect Options:

B. Communicating risk information to stakeholders: This is part of risk reporting, not risk monitoring.

E. Creating risk reports: This is also part of risk reporting, not risk monitoring.

67
Q

What is residual risk?
A. The likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied
B. The initial likelihood and impact of a risk before any actions are taken
C. The financial cost of managing a risk
D. The process of communicating risk information to stakeholders

A

Answer:
A. The likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied

Explanation:

Correct Option:

A. The likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied: Residual risk is what remains after risk management strategies have been implemented.

Incorrect Options:

B. The initial likelihood and impact of a risk before any actions are taken: This describes inherent risk, not residual risk.

C. The financial cost of managing a risk: This is unrelated to residual risk.

D. The process of communicating risk information to stakeholders: This describes risk reporting, not residual risk.

68
Q

What is control risk?
A. The likelihood and impact of a risk after mitigation measures have been applied
B. A measure of how much less effective a security control has become over time
C. The financial cost of implementing security controls
D. The process of identifying new risks

A

Answer:
B. A measure of how much less effective a security control has become over time

Explanation:

Correct Option:

B. A measure of how much less effective a security control has become over time: Control risk assesses the diminishing effectiveness of security measures over time.

Incorrect Options:

A. The likelihood and impact of a risk after mitigation measures have been applied: This describes residual risk, not control risk.

C. The financial cost of implementing security controls: This is unrelated to control risk.

D. The process of identifying new risks: This is part of risk monitoring, not control risk.

69
Q

Which of the following are purposes of risk reporting? (Choose Three)
A. To eliminate all risks in a project or business
B. To communicate risk management activities to stakeholders
C. To demonstrate regulatory compliance
D. To provide insights for informed decision-making
E. To calculate the financial cost of risks

A

Answer:
B, C, D

Explanation:

Correct Options:

B. To communicate risk management activities to stakeholders: Risk reporting ensures stakeholders are informed about risks and mitigation efforts.

C. To demonstrate regulatory compliance: Many industries require regular risk reports to show compliance with regulations.

D. To provide insights for informed decision-making: Risk reports help stakeholders make decisions about resource allocation, timelines, and strategy.

Incorrect Options:

A. To eliminate all risks in a project or business: Risk reporting does not eliminate risks but helps manage them.

E. To calculate the financial cost of risks: This is part of risk analysis, not risk reporting.

70
Q

Which of the following is an example of risk monitoring in practice?
A. A construction company produces a monthly risk report for stakeholders.
B. A software development team uses project management software to track project deadline risks.
C. A financial institution calculates the cost of potential fraud risks.
D. A manufacturing company eliminates all workplace safety risks.

A

Answer:
B. A software development team uses project management software to track project deadline risks.

Explanation:

Correct Option:

B. A software development team uses project management software to track project deadline risks: This is an example of ongoing risk monitoring.

Incorrect Options:

A. A construction company produces a monthly risk report for stakeholders: This is an example of risk reporting, not monitoring.

C. A financial institution calculates the cost of potential fraud risks: This is part of risk analysis, not monitoring.

D. A manufacturing company eliminates all workplace safety risks: This is unrealistic; risks cannot always be eliminated.

71
Q

What is the relationship between residual risk and control risk?
A. Residual risk is the initial risk, while control risk is the risk after mitigation.
B. Residual risk is the risk remaining after mitigation, while control risk measures the effectiveness of security controls over time.
C. Residual risk and control risk are interchangeable terms.
D. Residual risk is the financial cost of risks, while control risk is the likelihood of risks occurring.

A

Answer:
B. Residual risk is the risk remaining after mitigation, while control risk measures the effectiveness of security controls over time.

Explanation:

Correct Option:

B. Residual risk is the risk remaining after mitigation, while control risk measures the effectiveness of security controls over time: Residual risk focuses on what remains after risk management, while control risk assesses the diminishing effectiveness of controls.

Incorrect Options:

A. Residual risk is the initial risk, while control risk is the risk after mitigation: This is incorrect; residual risk is what remains after mitigation, not the initial risk.

C. Residual risk and control risk are interchangeable terms: This is incorrect; they are distinct concepts.

D. Residual risk is the financial cost of risks, while control risk is the likelihood of risks occurring: This is incorrect; neither definition is accurate.

72
Q

Which of the following is an example of risk reporting?
A. A software development team tracks bugs and delays using project management software.
B. A construction company shares a monthly report on safety hazards and project delays with stakeholders.
C. A financial institution calculates the cost of potential data breaches.
D. A manufacturing company eliminates all risks related to workplace injuries.

A

Answer:
B. A construction company shares a monthly report on safety hazards and project delays with stakeholders.

Explanation:

Correct Option:

B. A construction company shares a monthly report on safety hazards and project delays with stakeholders: This is an example of risk reporting, as it communicates risk information to stakeholders.

Incorrect Options:

A. A software development team tracks bugs and delays using project management software: This is an example of risk monitoring, not reporting.

C. A financial institution calculates the cost of potential data breaches: This is part of risk analysis, not reporting.

D. A manufacturing company eliminates all risks related to workplace injuries: This is unrealistic and unrelated to risk reporting.

CompTIA Security + (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions