CompTIA Security Plus Mock Test Q713

Joe, the information security manager, is tasked with calculating risk and selecting controls to protect a new system. He has identified people, environmental conditions, and events that could affect the new system. Which of the following does he need to estimate NEXT in order to complete his risk calculations?

A. Vulnerabilities
B. Risk
C. Likelihood
D. Threats


Correct Answer: A
Section: Threats and Vulnerabilities

Explanation:
In this question, the security administrator has identified people, environmental conditions, and events that could affect the new system. The next step of the risk assessment is to
determine the vulnerabilities of the system itself.
Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself. A vulnerability is a weakness that
could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of it occurring. The key here is to think outside the box.
Conventional threats and risks are often too limited when considering risk assessment.
The key components of a risk-assessment process are outlined here:
Risks to Which the Organization Is Exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating
system, server, or application may have known risks in certain environments. You should create a plan for how your organization will best deal with these risks and the best way to
respond.
Risks That Need Addressing: The risk-assessment component also allows an organization to provide a reality check on which risks are real and which are unlikely. This process helps
an organization focus on its resources as well as on the risks that are most likely to occur. For example, industrial espionage and theft are likely, but the risk of a hurricane damaging
the server room in Indiana is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.

Incorrect Answers:
B: Risk is the exposure to danger. It is a combination of vulnerability, threat and likelihood. It is not a single aspect to be calculated. Therefore this answer is incorrect.
C: You need to determine a vulnerability and the threat to that vulnerability before you can determine the likelihood of occurrence. Likelihood is not the next step in this question.
D: A threat is something that can attack a vulnerability. You need to determine the vulnerability before you can determine the thread. Therefore this answer is incorrect.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 3-5