Which of the following answers uses security terms “vulnerability,” “threat,” “risk,” and “countermeasure” correctly?

Which of the following answers uses security terms "vulnerability," "threat," "risk," and "countermeasure" correctly?

Which of the following answers uses security terms "vulnerability," "threat," "risk," and "countermeasure" correctly?

A.
There can be a threat, but unless your company has the corresponding vulnerability, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.

B.
There can be a vulnerability, but unless your company has the corresponding risk, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.

C.
There can be a risk, but unless your company has the corresponding threat, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to reduce the risk.

D.
There can be a threat, but unless your company has the corresponding vulnerability, then the company is not exposed and it is not a vulnerability. If the vulnerability does reside in the environment, then a countermeasure is applied to increase the risk.

Explanation:
A quantitative approach employs calculations using statistics of
probabilities and ratios pertaining to the possibilities of specific threats. A
qualitative approach is more subjective using opinion polls and other subjective
means that identify the priority of threats that pose possible risks.



Leave a Reply to Greg Cancel reply1

Your email address will not be published. Required fields are marked *

7 + 18 =


Greg

Greg

I agree with the answer, though I don’t believe the Explanation pertains to this question. From Harris’s “Quick Tips”:

• A vulnerability is the absence of a safeguard (in other words, it is a weakness) that can be exploited.
• A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
• A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
• Reducing vulnerabilities and/or threats reduces risk.
• An exposure is an instance of being exposed to losses from a threat.
• A countermeasure, also called a safeguard, mitigates the risk.