Section: Volume D

Explanation/Reference:
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident

can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware.
SLE = Asset value * Exposure factor
Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a

year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year.
Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE

with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus

software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is
$2,500.
Incorrect Answers:
A: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.
C: Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values.
Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.
Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently,

and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High.
Percentage can also be assigned to these words, like 10% to low and 90% to high.
Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss.

However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100.
Risk level = Probability*Impact
D: This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.

The first step in selecting a risk response after a penetration test reveals several vulnerabilities in a web-facing application is to assess the level of risk associated with the vulnerabilities, as it involves evaluating the likelihood and impact of the vulnerabilities being exploited, and comparing them with the risk tolerance and appetite of the organization. Correcting the vulnerabilities, developing a risk response action plan, and communicating the vulnerabilities are possible steps in selecting a risk response, but they are not the first step, as they require the prior knowledge of the risk level and the optimal risk response. References = CRISC Review Manual, 7th Edition, page 108.

Explanation/Reference:
Explanation:
The plan risk management process is when risk categories were to be defined. If they were not defined, as in this scenario, it is acceptable to define the categories as part of the qualitative risk analysis process.
Plan risk management is the process of defining the way to conduct the risk management activities.
Planning is essential for providing sufficient resources and time for risk management activities, and to establish an agreed-upon basis of evaluating risks. This process should start as soon as project is conceived and should be completed early during project planning.
Incorrect Answers:
A: Risk categories are not defined through the define scope process.
B: Risk categories are not defined through the risk identification process.
D: Risk categories are not defined through the create work breakdown structure process.

Implement compensating controls until the preferred action can be completed, because it helps to reduce the residual risk to an acceptable level, while allowing the preferred action to be delayed or postponed. A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response strategy for a specific risk. A risk response strategy is a course of action that is selected to address a risk, such as avoid, transfer, mitigate, or accept. A compensating control is a control that provides an alternative or additional measure of protection or assurance, when the primary or preferred control is not feasible or effective. Implementing compensating controls is the best approach, as it helps to maintain the risk management process and objectives, and to avoid or minimize the negative consequences of the delay or postponement of the preferred action.
Developing additional key risk indicators (KRIs), replacing the action owner with a more experienced individual, and changing the risk response strategy of the relevant risk to risk avoidance are all possible approaches when a risk treatment plan cannot be completed on time, but they are not the best approach, as they may not address the residual risk level, and they may introduce new risks or issues.