Which of the following will risk analysis not yield?

Which of the following will risk analysis not yield?

Which of the following will risk analysis not yield?

A.
Monetary values assigned to assets

B.
Probability rate of the occurrence of each threat

C.
Recommended safeguards, countermeasures, and actions

D.
Countermeasures and their costs

Explanation:
A risk analysis is focused on the problem, not the solution. A risk analysis is
conducted only to provide management with a gross calculation or perception of the
potential losses that could be incurred as a result of security problems. The
results will be used to justify a security budget that may enable the funding of
countermeasures, but the risk analysis does not concern itself with these matters,
only with measuring risk.



Leave a Reply 1

Your email address will not be published. Required fields are marked *


Greg

Greg

I can not disagree with the any of the first three. In fact, from Harris:

The following is a short list of what generally is expected from the results of a risk analysis:
• Monetary values assigned to assets
• Comprehensive list of all possible and significant threats
• Probability of the occurrence rate of each threat
• Loss potential the company can endure per threat in a 12-month time span
• Recommended safeguards, countermeasures, and actions

However, (also from Harris), “the main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.”

How can we provide an “economic balance” between risk and the “cost of the safeguards/countermeasures” if we don’t have those costs?!? (Harris indicates earlier that safeguards and countermeasures are the same thing.)