According to the CRISC Review Manual1, risk scenarios are hypothetical situations that describe the potential causes, impacts, and responses of a risk event. Risk scenarios are useful tools for identifying, analyzing, and communicating risks in a clear and understandable way. The most important factor when developing risk scenarios is to ensure that they are relevant to the organization, as this helps to capture the specific context, objectives, processes, and resources of the organization, and to reflect the actual risk exposure and appetite of the organization. Relevant risk scenarios also help to engage and involve the stakeholders, and to facilitate risk-based decision making and action planning. References = CRISC Review Manual1, page 206.

A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met and whether the project delivered the expected benefits and outcomes1. The primary objective of a risk practitioner performing a PIR of an IT risk mitigation project is to verify that the risk level has been lowered as a result of the project implementation2. This can be done by comparing the actual risk level with theexpected risk level, assessing the effectiveness and efficiency of the risk mitigation controls, and identifying any residual or emerging risks3. Documenting project lessons learned, validating the project completion, and confirming the project budget are important aspects of a PIR, but they are not the primary objective for a risk practitioner, as they do not directly measure the impact of the project on the risk level4. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Response and Mitigation, Section 5.4: Post-Implementation Review, pp. 239-241.

Warning banners on login screens serve as deterrent controls. Deterrent controls are designed to discourage individuals from attempting unauthorized actions by warning them of potential consequences.
* Purpose of Warning Banners
* Warning banners provide clear notice to users, both authorized and unauthorized, that their activities may be monitored and that unauthorized access is prohibited.
* They serve as a legal disclaimer, which can be crucial in prosecuting unauthorized access attempts.
* Effectiveness as a Deterrent Control
* The primary function of a warning banner is to deter potential intruders by making them aware of the surveillance and legal implications of unauthorized access.
* For authorized users, it reinforces awareness of the organization's security policies and acceptable use agreements.
* Comparison with Other Control Types
* A. Corrective: These controls are used to correct or restore systems after an incident.
* B. Preventive: These controls are designed to prevent security incidents from occurring.
* C. Detective: These controls are used to detect and alert about security incidents.
* D. Deterrent: These controls are intended to discourage individuals from performing unauthorized activities.
References
* Sybex-CISSP-Official-Study-Guide-9-Edition.pdf, p. 829, detailing the role of warning banners as deterrent controls.

Qualitative measures are methods of expressing risk levels using descriptive terms, such as high, medium, or low, based on subjective criteria, such as likelihood, impact, or severity. Qualitative measures are often used to identify and prioritize risks, and to communicate risk information to stakeholders1.
Residual risk is the level of risk that remains after the risk response has been implemented. Residual risk reflects the effectiveness and efficiency of the risk response, and the need for further action or monitoring2.
Emerging threats are new or evolving sources or causes of risk that have the potential to adversely affect the organization's objectives, assets, or operations. Emerging threats are oftencharacterized by uncertainty, complexity, and ambiguity, and may require innovative or adaptive risk responses3.
The best reason to use qualitative measures to express residual risk levels related to emerging threats is that qualitative measures are better able to incorporate expert judgment. Expert judgment is the opinion or advice of a person or a group of people who have specialized knowledge, skills, or experience in a particular domain or field. Expert judgment can help to:
Provide insights and perspectives on the nature and characteristics of the emerging threats, and their possible causes and consequences Assess the likelihood and impact of the emerging threats, and their interactions and dependencies with other risks Evaluate the suitability and effectiveness of the risk responses, and their alignment with the organization's risk appetite and tolerance Identify and recommend the best practices and lessons learned for managing the emerging threats, and for improving the risk management process45 Qualitative measures are better able to incorporate expert judgment than quantitative measures, which are methods of expressing risk levels using numerical or measurable values, such as percentages, probabilities, or monetary amounts. Quantitative measures are often used to estimate and analyze risks, and to support risk decision making1. However, quantitative measures may not be suitable or feasible for expressing residual risk levels related to emerging threats, because:
Quantitative measures require reliable and sufficient data and information, which may not be available or accessible for the emerging threats Quantitative measures rely on mathematical models and techniques, which may not be able to capture or reflect the complexity and uncertainty of the emerging threats Quantitative measures may create a false sense of precision or accuracy, which may not be justified or warranted for the emerging threats Quantitative measures may be influenced or manipulated by biases or assumptions, which may not be valid or appropriate for the emerging threats67 Therefore, qualitative measures are better able to incorporate expert judgment, which can enhance the understanding and management of the residual risk levels related to emerging threats.
The other options are not the best reasons to use qualitative measures to express residual risk levels related to emerging threats, but rather some of the advantages or disadvantages of qualitative measures. Qualitative measures require less ongoing monitoring than quantitative measures, because they are simpler and easier to apply and update. However, this does not mean that qualitative measures can eliminate or reduce the need for monitoring, which is an essential part of the risk management process. Qualitative measures are better aligned to regulatory requirements than quantitative measures, because they are more consistent and comparable across different domains and contexts. However, this does not mean that qualitative measures can satisfy or comply with all the regulatory requirements, which may vary depending on theindustry or sector. Qualitative measures are easier to update than quantitative measures, because they do not depend on complex calculations or formulas. However, this does not mean that qualitative measures can always reflect the current or accurate risk levels, which may change over time or due to external factors. References = Qualitative Risk Analysis vs. Quantitative Risk Analysis - ISACA Residual Risk - ISACA Emerging Threats - ISACA Expert Judgment - ISACA Expert Judgment in Project Management: Narrowing the Theory-Practice Gap Quantitative Risk Analysis - ISACA Quantitative Risk Analysis: A Critical Review
[CRISC Review Manual, 7th Edition]

Risk exposure is the product of risk likelihood and risk impact ratings. It represents the potential loss or damage that may result from a risk event. After implementing countermeasures, the risk likelihood and/or impact ratings may change, depending on the effectiveness of the countermeasures. Therefore, the risk exposure must also change to reflect the updated risk ratings. The other components of the register, such as risk owner, risk impact rating, and risk likelihood rating, may or may not change depending on the nature and scope of the countermeasures. References = Risk and Information Systems Control Study Manual, Chapter 2:
IT Risk Assessment, Section 2.4: IT Risk Response, page 87.