Following a security assessment, the Chief Information Security Officer (CISO) is reviewing the results of the assessment and evaluating potential risk treatment strategies. As part of the CISO’s evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing?
A. Documentation of lessons learned
B. Quantitative risk assessment
C. Qualitative assessment of risk
D. Business impact scoring
E. Threat modeling
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Guys is B
Quantitative Risk Analysis
Quantitative risk assessment uses calculations based on historical data associated with risk. This method is used in industries such as insurance, where large quantities of data occur and provide a solid basis for trending. A common method of quantitative assessment is the calculation of the annualized loss expectancy (ALE).
The correct answer in fact is B.
Exposure Factor (EF): Percentage of asset loss caused by identified threat. It ranges from 0% to 100%.
This is a quantitative measure. Quantitative data doesn’t necessarily have to be a dollar amount. It can also be a percentage in relation to something monetary.
https://resources.infosecinstitute.com/perform-qualitative-quantitative-security-risk-analysis/#gref
it;s C
from the CASP Sybex Bool:
Quantitative Risk Assessment This method assigns a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
Qualitative Risk Assessment This method ranks threats by nonmonetary values and is based on scenario, intuition, and experience.
Key word ‘past experience’
Quantitative risk assessment
I believe it is qualitative (C).
The CISO is viewing the exposure through the lens of his past experience.
Qualitative can include data in my opinion. (An argument can include data, and still be an opinion)
Quantitative cannot include experience and personal thinkings. (Statistics cannot include experience and still be statistics)
Trickey…
Says based on past experiences, so qualitative, but, its says exposure factor, qualitative. I don’t know.
Right from CompTia:
Qualitative analysis methods use descriptions and words to measure the
likelihood and impact of risk. For example, impact ratings can be severe/ high,
moderate/medium, or low; and likelihood ratings can be likely, unlikely, or rare.
Qualitative analysis is generally scenario-based. A weakness of qualitative risk
analysis lies with its sometimes subjective and untestable methodology. You
can also assign numbers between 0 and 9 for exposures and damage
potential. However, you do not perform calculations on the numbers assigned
to the risks. The goal of qualitative assessment is to rank the risks on a scale of
1 to 25, for example.
Quantitative analysis is based completely on numeric values. Data is
analyzed using historic records, experiences, industry best practices and
records, statistical theories, testing, and experiments. This methodology may
be weak in situations where risk is not easily quantifiable. The goal of
quantitative analysis is to calculate the probable loss for every risk.
I do believe B is correct
quantitative = monetary
qualitative = non-monetary, past experience
I’d go with C