CompTIA Security Plus Mock Test Q236

An IT security manager is asked to provide the total risk to the business. Which of the following calculations would he security manager choose to determine total risk?

A. (Threats X vulnerability X asset value) x controls gap
B. (Threats X vulnerability X profit) x asset value
C. Threats X vulnerability X control gap
D. Threats X vulnerability X asset value


Correct Answer: D
Section: Compliance and Operational Security

Explanation:
Threats X vulnerability X asset value is equal to asset value (AV) times exposure factor (EF). This is used to calculate a risk.

Incorrect Answers:
A: This formula would calculate the loss expectancy over a particular period of time.
B: Profit should first be realized prior to being incorporated into a formula to determine the total risk.
C: Total risk calculation is not synonymous with loss expected over a particular period of time.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 5