CCNA Crisc Risk Assessment Questions

75 of 140 questions · Page 1/2 · Crisc Risk Assessment topic · Answers revealed

1
MCQmedium

A risk assessment identifies a critical vulnerability in a web application. Which control type would be most effective in preventing exploitation of this vulnerability?

A.Compensating control such as additional monitoring
B.Preventive control such as patching the vulnerability
C.Corrective control such as backup restoration
D.Detective control such as log monitoring
AnswerB

Patching removes the vulnerability, preventing exploitation.

Why this answer

Preventive controls aim to stop the risk event from occurring; patching is a classic preventive control.

2
MCQhard

An organization assesses a risk and determines the inherent risk score is 20 (critical). After implementing controls, the residual risk score is 8 (medium). What does this indicate about the controls?

A.The residual risk is still critical
B.Controls are effective in reducing risk to a lower level
C.The inherent risk was overestimated
D.Controls are ineffective because residual risk is still above zero
AnswerB

Significant reduction shows effectiveness.

Why this answer

The reduction from 20 to 8 indicates the controls are effective in reducing risk.

3
MCQeasy

Which of the following is a detective control?

A.Data encryption
C.Backup and restore
AnswerB

Correct; IDS detects intrusions after they occur.

Why this answer

Detective controls identify risk events that have occurred. Intrusion detection systems (IDS) monitor network traffic for malicious activity and alert administrators.

4
MCQeasy

An organization uses a 5×5 risk heat map to assess IT risks. Which of the following is the PRIMARY advantage of this qualitative approach?

A.Eliminates subjectivity in risk assessment
B.Provides comparable results across organizations
C.Quick and easy to communicate
D.Produces financially meaningful results
AnswerC

Heat maps are simple to create and understand, facilitating communication.

Why this answer

Qualitative risk analysis using heat maps is quick to perform and easy to communicate to stakeholders, making it the primary advantage. The other options are not primary advantages of this method.

5
MCQhard

A company calculates the annualized loss expectancy (ALE) for a server failure as $150,000. After implementing a backup solution costing $20,000 per year, the ALE drops to $30,000. What is the annualized benefit of the control?

A.$100,000
B.$130,000
C.$120,000
D.$20,000
AnswerA

Correct; $120k reduction minus $20k cost = $100k.

Why this answer

Annualized benefit = reduction in ALE - annual control cost. Reduction in ALE = $150k - $30k = $120k. Benefit = $120k - $20k = $100k.

6
MCQmedium

An organization decides to outsource its data center operations to a cloud provider with strict contractual penalties for security breaches. This is an example of which risk treatment option?

A.Accept
B.Avoid
C.Mitigate
D.Transfer
AnswerD

Outsourcing with contractual liability is a common risk transfer mechanism.

Why this answer

Transferring risk shifts the financial consequences to a third party, such as through outsourcing or insurance.

7
MCQhard

In the FAIR framework, loss magnitude (LM) is composed of primary loss and secondary loss. Which of the following is an example of secondary loss?

A.Incident response costs
B.Lost business due to reputation damage
C.Legal notification costs
D.System restoration expenses
AnswerB

Lost business from reputation damage is an indirect secondary loss.

Why this answer

Secondary loss includes indirect costs like reputational damage, loss of customer trust, and share price impact.

8
MCQhard

An organization has identified a high-risk IT process that, if continued, could result in significant regulatory fines. The risk owner recommends implementing additional controls. However, the cost of controls exceeds the potential financial loss. Which risk treatment option is MOST appropriate?

A.Avoid the risk by discontinuing the process
B.Accept the risk with formal sign-off
C.Mitigate the risk by implementing controls
D.Transfer the risk through cyber insurance
AnswerD

Transfer is cost-effective when control costs exceed potential loss.

Why this answer

The cost of implementing additional controls exceeds the potential financial loss from regulatory fines, making mitigation economically inefficient. Transferring the risk through cyber insurance is the most appropriate option because it shifts the financial impact of the fines to an insurer, aligning with cost-benefit analysis principles in risk management.

Exam trap

The trap here is that candidates often choose 'mitigate' (Option C) without performing a cost-benefit analysis, forgetting that risk management requires controls to be cost-justified relative to the potential loss.

How to eliminate wrong answers

Option A is wrong because discontinuing the process (avoidance) would eliminate the business value it provides, which is an extreme measure not justified when a less disruptive option like insurance exists. Option B is wrong because accepting the risk with formal sign-off would leave the organization exposed to fines that exceed the cost of controls, violating the principle that acceptance is only appropriate when residual risk is within tolerance and cost-justified. Option C is wrong because mitigating the risk by implementing controls would cost more than the potential loss, violating the fundamental risk management principle that control costs should not exceed the expected benefit.

9
MCQmedium

During an IT risk assessment, a risk owner identifies a risk that is within the organization's risk appetite. The recommended risk treatment option is to:

A.Accept the risk with formal sign-off.
B.Avoid the risk by eliminating the activity.
C.Transfer the risk through cyber insurance.
D.Mitigate the risk by implementing additional controls.
AnswerA

Acceptance is appropriate for risks within appetite.

Why this answer

When a risk is within appetite, the appropriate response is to accept it, with formal documentation and sign-off by the risk owner.

10
Multi-Selecthard

An organization is assessing control effectiveness for a firewall. Which THREE factors should be evaluated to determine control effectiveness? (Select THREE)

Select 3 answers
A.Design adequacy of the firewall rules
B.Operating effectiveness of the firewall
C.Cost of the firewall
D.Relevance to the specific risk scenario
E.Frequency of rule updates
AnswersA, B, D

Design adequacy is a key component.

Why this answer

Control effectiveness is a combination of design adequacy and operating effectiveness. Additionally, the control's ability to address the specific risk (relevance) is important. Frequency alone does not determine effectiveness.

11
MCQmedium

In assessing control effectiveness, an IS auditor evaluates both design adequacy and operating effectiveness. Which of the following indicates that a control is operating effectively?

A.The control is approved by management
B.The control has been tested and works as designed
C.The control is inexpensive to implement
D.The control is documented in policy
AnswerB

Testing confirms operating effectiveness.

Why this answer

Operating effectiveness means the control has been tested and consistently produces the intended result in practice. Even if a control is well-designed, it may fail during actual operation due to misconfiguration, human error, or environmental changes. Testing confirms that the control functions as designed under real conditions, which is the definitive indicator of operating effectiveness.

Exam trap

The trap here is confusing control design (what is planned or documented) with control operation (what actually happens in practice), leading candidates to select policy or approval as evidence of effectiveness.

How to eliminate wrong answers

Option A is wrong because management approval only indicates that the control design is authorized, not that it is actually working in production. Option C is wrong because cost is a factor in control selection and efficiency, not a measure of whether the control operates effectively. Option D is wrong because documentation in policy only proves the control exists on paper, not that it is executed correctly or consistently.

12
MCQeasy

A risk manager is using a 5×5 likelihood-impact matrix to assess a set of identified risks. What is the PRIMARY advantage of using this qualitative method?

A.It provides objective and comparable risk scores across organizations.
B.It is quick and easy to communicate to stakeholders.
C.It produces financially meaningful results for cost-benefit analysis.
D.It requires less data but is time-consuming to complete.
AnswerB

Qualitative heat maps are simple to understand and communicate.

Why this answer

Qualitative risk analysis using heat maps is quick and easy to communicate to stakeholders, making it a common initial assessment tool.

13
Multi-Selectmedium

A risk assessment of a critical financial application identifies a high inherent risk due to outdated software. The risk manager is considering mitigation options. Which TWO of the following would be considered preventive controls?

Select 2 answers
A.Configuring access controls
C.Implementing a patch management process
D.Establishing a backup and recovery plan
E.Conducting regular security audits
AnswersA, C

Access controls prevent unauthorized access.

Why this answer

Configuring access controls is a preventive control because it proactively restricts unauthorized users from accessing the financial application, reducing the likelihood of a security incident. By enforcing least privilege and authentication mechanisms, it directly mitigates the risk of exploitation of the outdated software by limiting who can interact with it.

Exam trap

The trap here is confusing detective controls (like IDS or audits) or recovery controls (like backups) with preventive controls, especially when the question emphasizes 'mitigation options' for outdated software—candidates often overlook that patching is a direct preventive measure against known vulnerabilities.

14
Multi-Selecthard

A risk assessment team is prioritizing IT risks for treatment. Which THREE factors should be considered when prioritizing risks? (Select THREE)

Select 3 answers
A.Industry standards for similar risks
B.The inherent risk score of each risk
C.Cost-benefit analysis of potential controls
D.Residual risk after existing controls
E.The risk owner's personal preference
AnswersB, C, D

Higher inherent risks typically get higher priority.

Why this answer

Option B is correct because the inherent risk score provides a baseline measure of risk without considering controls, which is essential for prioritizing which risks require immediate attention. This score is typically calculated as a product of likelihood and impact, and it helps the team focus on the most severe potential threats first.

Exam trap

The trap here is that candidates may confuse 'factors to consider when prioritizing risks' with 'inputs to risk assessment' and incorrectly select industry standards (Option A) as a direct prioritization factor, when in fact they are used for benchmarking or compliance, not for ranking treatment urgency.

15
Multi-Selectmedium

A company is evaluating control types for a new system. The security team proposes implementing an intrusion detection system (IDS) and a backup restoration process. Which TWO control types do these represent, respectively?

Select 2 answers
A.Deterrent
B.Preventive
C.Compensating
D.Detective
E.Corrective
AnswersD, E

IDS is a detective control.

Why this answer

IDS detects ongoing attacks (detective), backup restoration helps recover after an incident (corrective).

16
MCQmedium

During an IT risk assessment, the risk owner identifies a high inherent risk for a legacy system. After implementing a firewall and intrusion detection system, the residual risk is calculated. Which of the following best describes residual risk?

A.The risk level before any controls are implemented
B.The risk level after considering control effectiveness
C.The risk that is transferred to a third party
D.The risk that is accepted without action
AnswerB

Residual risk is inherent risk adjusted for control effectiveness.

Why this answer

Residual risk is the level of risk that remains after controls have been implemented and their effectiveness has been factored in. In this scenario, the firewall and intrusion detection system are controls that reduce the inherent risk, but some risk (e.g., from zero-day exploits or misconfigurations) will persist, which is the residual risk.

Exam trap

The trap here is confusing residual risk with inherent risk (Option A) or with risk response strategies like transfer (Option C) or acceptance (Option D), rather than recognizing it as the risk remaining after control implementation.

How to eliminate wrong answers

Option A is wrong because it describes inherent risk, which is the risk level before any controls are implemented, not after. Option C is wrong because it describes risk transfer (e.g., via insurance or outsourcing), which is a risk response strategy, not the remaining risk after controls. Option D is wrong because it describes risk acceptance, which is a decision to tolerate the residual risk without further action, not the residual risk itself.

17
Multi-Selecthard

An organization is performing a quantitative risk analysis using the FAIR framework. Which THREE of the following are direct components of the FAIR model?

Select 3 answers
A.Single Loss Expectancy
B.Loss Event Frequency
C.Threat Event Frequency
D.Annualized Loss Expectancy
E.Vulnerability
AnswersB, C, E

LEF is a primary component in FAIR.

Why this answer

FAIR components include Loss Event Frequency (LEF), Threat Event Frequency (TEF), Vulnerability, and Loss Magnitude. Annualized Loss Expectancy (ALE) is a derived metric, not a direct component. Single Loss Expectancy is a component of ALE but not a separate FAIR component.

18
MCQeasy

During an IT risk assessment, the risk owner decides to accept a risk that falls within the organization's risk appetite. Which of the following actions is most appropriate for the risk owner to take?

A.Document the risk and obtain formal sign-off from the risk owner.
B.Eliminate the business process that creates the risk.
C.Transfer the risk to a third party via insurance.
D.Implement additional controls to reduce the risk to zero.
AnswerA

Correct. Acceptance requires documentation and sign-off.

Why this answer

When a risk falls within the organization's risk appetite, the most appropriate action is to formally accept it. The risk owner must document the risk and obtain formal sign-off to ensure accountability and auditability, as required by the risk management framework. This aligns with the principle that risks within appetite do not require additional treatment beyond formal acceptance.

Exam trap

The trap here is that candidates often confuse risk acceptance with risk treatment, assuming that any risk must be mitigated or transferred, but the CRISC exam emphasizes that risks within appetite can be formally accepted without further action.

How to eliminate wrong answers

Option B is wrong because eliminating the business process that creates the risk is a risk avoidance strategy, which is excessive and unnecessary when the risk is within the organization's risk appetite. Option C is wrong because transferring the risk via insurance is a risk treatment option typically reserved for risks that exceed the risk appetite or tolerance, not for those already within acceptable levels. Option D is wrong because implementing additional controls to reduce the risk to zero is impractical and violates the concept of residual risk; risk can rarely be reduced to zero, and doing so would be cost-prohibitive and unnecessary for an accepted risk.

19
MCQeasy

Which type of control is designed to reduce the likelihood of a risk event occurring?

A.Corrective
B.Compensating
C.Preventive
D.Detective
AnswerC

Preventive controls reduce the likelihood of occurrence.

Why this answer

Preventive controls are designed to stop a risk event from occurring in the first place. For example, implementing a firewall rule to block unauthorized inbound traffic reduces the likelihood of a network intrusion. This aligns with the CRISC definition of preventive controls as proactive measures that reduce the probability of a risk scenario.

Exam trap

The trap here is that candidates often confuse preventive controls with detective controls, mistakenly thinking that monitoring or alerting (detective) reduces the likelihood of an event, when in fact it only reduces the impact or detection time after the event has occurred.

How to eliminate wrong answers

Option A is wrong because corrective controls are designed to remediate or restore operations after a risk event has occurred, such as restoring data from backup after a ransomware attack, not to reduce the likelihood of the event. Option B is wrong because compensating controls are alternative measures that provide equivalent protection when a primary control is not feasible, such as using additional logging when encryption cannot be applied, but they do not directly reduce the likelihood of the original risk event. Option D is wrong because detective controls are designed to identify and report risk events after they have happened, such as intrusion detection systems (IDS) that alert on malicious traffic, not to prevent the event from occurring.

20
Multi-Selectmedium

A risk assessment identifies that a critical application has a vulnerability with a high likelihood of exploitation. The risk owner proposes to implement a web application firewall (WAF) as a mitigating control. Which TWO of the following are likely benefits of this control?

Select 2 answers
A.Reduces the likelihood of successful exploitation
B.Transfers the risk to the vendor
C.Eliminates the need for other controls
D.Eliminates all residual risk
E.Provides detective capabilities by logging blocked attacks
AnswersA, E

WAF blocks malicious traffic, reducing likelihood.

Why this answer

A WAF reduces the likelihood of successful exploitation by inspecting and filtering HTTP/HTTPS traffic for common attack patterns such as SQL injection and cross-site scripting (XSS). It blocks malicious payloads before they reach the application, directly lowering the probability that a vulnerability will be exploited. This aligns with the risk mitigation strategy of reducing threat exposure.

Exam trap

Cisco often tests the misconception that a WAF is a silver bullet that eliminates all risk or replaces other controls, when in fact it is a layered defense that reduces likelihood but does not transfer, eliminate, or remove the need for complementary security measures.

21
MCQhard

An organization is considering outsourcing its payroll processing to a third party. The risk assessment shows that the inherent risk of payroll errors is high, but the vendor contract includes liability clauses and the organization obtains cyber insurance. This risk treatment is best described as:

A.Risk transfer
B.Risk acceptance
C.Risk mitigation
D.Risk avoidance
AnswerA

Outsourcing and insurance are examples of risk transfer.

Why this answer

Transfer involves shifting risk to a third party, such as through outsourcing with contractual liability transfer and insurance.

22
Multi-Selectmedium

A company is considering risk transfer for a new IT project. Which TWO options represent valid risk transfer mechanisms? (Select TWO)

Select 2 answers
A.Accepting the risk with sign-off
B.Purchasing cyber insurance
C.Implementing access controls
D.Discontinuing the project
E.Outsourcing with liability clauses
AnswersB, E

Insurance transfers financial risk.

Why this answer

Cyber insurance and outsourcing with contractual liability transfer are classic examples of risk transfer. Accepting, avoiding, and mitigating are not transfer.

23
MCQmedium

A company is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, and the vulnerability is 0.2. The primary loss per event is $50,000 and secondary loss is $20,000. What is the annualized loss expectancy (ALE)?

A.$100,000
B.$140,000
C.$70,000
D.$1,400,000
AnswerB

Correctly computed as described.

Why this answer

The annualized loss expectancy (ALE) is calculated as threat event frequency (TEF) × vulnerability (V) × loss per event. Here, TEF = 10, V = 0.2, primary loss = $50,000, secondary loss = $20,000, so total loss per event = $70,000. ALE = 10 × 0.2 × $70,000 = 10 × $14,000 = $140,000, making option B correct.

Exam trap

Cisco often tests the candidate's ability to correctly apply the FAIR formula by including both primary and secondary losses, and the trap here is that candidates forget to multiply by vulnerability or omit secondary loss, leading to options A or C.

How to eliminate wrong answers

Option A is wrong because it incorrectly uses only the primary loss ($50,000) and ignores the secondary loss ($20,000), calculating ALE as 10 × 0.2 × $50,000 = $100,000. Option C is wrong because it uses the total loss per event ($70,000) but fails to multiply by vulnerability (0.2), resulting in 10 × $70,000 = $700,000, not $70,000; the stated $70,000 is just the loss per event, not the ALE. Option D is wrong because it multiplies TEF (10) by total loss per event ($70,000) without applying vulnerability (0.2), giving $700,000, and then incorrectly multiplies by 2, or it misplaces the decimal, resulting in $1,400,000.

24
MCQeasy

A risk practitioner is using a 5×5 heat map to assess IT risks. Which of the following is the primary advantage of this qualitative approach?

A.Produces financially meaningful loss estimates
B.Requires less data and time to implement
C.Provides objective and comparable risk scores across organizations
D.Eliminates subjectivity in risk ratings
AnswerB

Qualitative methods like heat maps are quick and require less data compared to quantitative methods.

Why this answer

A 5×5 heat map is a qualitative risk assessment tool that uses ordinal scales (e.g., low, medium, high) for likelihood and impact. Its primary advantage is that it requires less data and time to implement compared to quantitative methods, which demand detailed financial data and complex calculations. This makes it practical for rapid, high-level IT risk prioritization when precise data is unavailable.

Exam trap

The trap here is that candidates often confuse 'qualitative' with 'objective' or 'comparable,' but qualitative methods are inherently subjective and context-dependent, unlike quantitative methods that produce numeric, comparable outputs.

How to eliminate wrong answers

Option A is wrong because qualitative heat maps do not produce financially meaningful loss estimates; they use subjective ordinal scales (e.g., 'high impact') rather than monetary values, which is a key limitation. Option C is wrong because qualitative scores are subjective and depend on the assessor's judgment, making them not objectively comparable across different organizations or even different teams within the same organization. Option D is wrong because the approach does not eliminate subjectivity; in fact, it relies on expert judgment to assign ratings, which introduces inherent bias and variability.

25
Multi-Selecthard

A risk assessment identifies a threat with high likelihood and high impact. The risk owner proposes transferring the risk via cyber insurance. However, the insurance policy has a high deductible and excludes certain attack types. Which THREE of the following should be considered when evaluating the effectiveness of this risk transfer?

Select 3 answers
A.The impact of the risk on operational productivity
B.The likelihood of the threat event occurring
C.The cost of the insurance premium relative to the expected loss
D.The residual risk after insurance is applied
E.The extent of coverage and exclusions in the policy
AnswersC, D, E

Cost-benefit analysis ensures the transfer is economically justified.

Why this answer

Risk transfer effectiveness depends on policy coverage, residual risk after transfer, and cost-benefit. Likelihood reduction is not directly applicable as transfer does not reduce likelihood.

26
MCQmedium

An organization identifies a risk that is within its risk appetite. The risk owner decides to formally document the risk and accept it without implementing additional controls. Which of the following is required for this risk acceptance?

A.Avoidance of the business process
B.Transfer of risk to an insurance provider
C.Formal sign-off by the risk owner
D.Implementation of compensating controls
AnswerC

Acceptance requires documented acknowledgment and approval from the risk owner.

Why this answer

Acceptance requires formal documentation and sign-off by the risk owner, acknowledging the risk within appetite.

27
Multi-Selectmedium

An organization is assessing control effectiveness for a key process. Which TWO aspects should be evaluated to determine if a control is effective?

Select 2 answers
A.Operating effectiveness
B.Compliance with industry standards
C.Number of control owners
D.Design adequacy
E.Cost of implementation
AnswersA, D

The control must operate as designed in practice.

Why this answer

Control effectiveness is assessed based on design adequacy (whether the control is properly designed) and operating effectiveness (whether it works as intended).

28
MCQhard

An organization is assessing the risk of a ransomware attack. The threat actor capability is high, but vulnerability is low due to strong patching. However, the business impact is severe. According to FAIR, which factor most directly influences Loss Event Frequency (LEF)?

A.Vulnerability severity
B.Threat actor capability and motivation
C.Control effectiveness
D.Business impact severity
AnswerA

Vulnerability directly multiplies TEF to determine LEF.

Why this answer

In FAIR, Loss Event Frequency (LEF) is directly influenced by the probability that a threat actor will successfully exploit a vulnerability. Vulnerability severity (how easily a vulnerability can be exploited) is a key component of the 'Vulnerability' factor in FAIR's decomposition, which feeds into LEF. Even with high threat capability and severe impact, if vulnerability is low (strong patching), LEF remains low because the attack is unlikely to succeed.

Exam trap

Cisco often tests the distinction between factors that affect LEF (vulnerability and threat event frequency) versus factors that affect loss magnitude (impact), so candidates mistakenly pick 'business impact severity' because it seems most urgent, but it does not influence how often an attack succeeds.

How to eliminate wrong answers

Option B is wrong because threat actor capability and motivation influence the 'Threat Event Frequency' (TEF), not directly LEF; LEF is the product of TEF and the probability of successful exploitation (vulnerability). Option C is wrong because control effectiveness is an input that reduces either vulnerability or threat frequency, but it is not the direct factor; FAIR decomposes LEF into 'Threat Event Frequency' and 'Vulnerability' (which includes control strength). Option D is wrong because business impact severity influences 'Loss Magnitude', not LEF; LEF is about how often losses occur, not their size.

29
MCQmedium

In qualitative risk analysis, a risk with a likelihood rating of 'High' and an impact rating of 'High' on a 5×5 heat map would typically be classified as:

A.High
B.Low
C.Critical
D.Medium
AnswerC

The highest combination is often labeled critical.

Why this answer

A 5×5 heat map often uses 'Critical' for the highest risk level (5×5).

30
MCQmedium

An organization is evaluating risks and decides to purchase cyber insurance to cover potential financial losses from data breaches. Which risk treatment option does this represent?

A.Transfer
B.Accept
C.Mitigate
D.Avoid
AnswerA

Insurance transfers financial risk to the insurer.

Why this answer

Transfer involves shifting risk to a third party, such as through insurance or outsourcing with liability transfer.

31
MCQeasy

A risk manager uses a 5x5 heat map to plot the likelihood and impact of identified risks. This approach is an example of which type of risk analysis?

A.Qualitative risk analysis
B.Quantitative risk analysis
C.Hybrid risk analysis
D.Semi-quantitative risk analysis
AnswerA

A 5x5 heat map is a standard tool for qualitative risk analysis, using subjective ratings for likelihood and impact.

Why this answer

A 5x5 heat map is a qualitative risk analysis technique that uses ordinal scales for likelihood and impact to derive risk ratings.

32
MCQhard

During a quantitative risk analysis, the risk team calculates the loss event frequency (LEF) using the FAIR framework. If the threat event frequency (TEF) is 10 per year and the vulnerability (V) is 0.3, what is the LEF?

A.10.3 per year
B.30 per year
C.0.3 per year
D.3 per year
AnswerD

Correct: LEF = TEF × Vulnerability = 10 × 0.3 = 3.

Why this answer

In the FAIR framework, loss event frequency (LEF) is calculated as the product of threat event frequency (TEF) and vulnerability (V). Given TEF = 10 per year and V = 0.3, LEF = 10 × 0.3 = 3 per year. This represents the expected number of loss events per year, accounting for the probability that a threat event will actually result in a loss.

Exam trap

The trap here is that candidates may confuse the multiplicative relationship in FAIR with additive or divisive operations, or mistakenly treat vulnerability as the final frequency rather than a probability multiplier.

How to eliminate wrong answers

Option A is wrong because 10.3 per year results from incorrectly adding TEF and V (10 + 0.3), but LEF is a multiplicative product, not a sum. Option B is wrong because 30 per year results from dividing TEF by V (10 / 0.3 ≈ 33.3) or multiplying by the reciprocal, which misapplies the FAIR formula. Option C is wrong because 0.3 per year treats V as the LEF itself, ignoring TEF entirely; LEF must incorporate both TEF and V multiplicatively.

33
MCQhard

An organization has an inherent risk score of 20 for a process. After controls, the residual risk score is 8. If the control design is assessed as adequate but operating effectiveness is only 60%, what is the control effectiveness adjustment?

A.The controls reduce risk by 20%
B.The controls have no effect
C.The controls reduce risk by 60%
D.The controls reduce risk by 40%
AnswerC

Residual risk is 40% of inherent, so reduction is 60%.

Why this answer

The inherent risk score is 20, and the residual risk score is 8, meaning controls reduce risk by 12 points (20 – 8 = 12). This reduction of 12 out of 20 equals a 60% reduction (12/20 = 0.60). The control design is adequate, but operating effectiveness is only 60%, so the actual risk reduction achieved matches the operating effectiveness percentage.

Thus, the control effectiveness adjustment is 60%.

Exam trap

The trap here is that candidates often confuse the absolute risk reduction (12 points) with the percentage reduction relative to inherent risk, or mistakenly use the control effectiveness percentage (60%) as a multiplier on the residual risk instead of the reduction.

How to eliminate wrong answers

Option A is wrong because a 20% reduction would yield a residual risk of 16 (20 * 0.8 = 16), not 8. Option B is wrong because if controls had no effect, residual risk would equal inherent risk (20), not 8. Option D is wrong because a 40% reduction would give a residual risk of 12 (20 * 0.6 = 12), not 8; the actual reduction is 60% as calculated.

34
Multi-Selectmedium

A risk assessment team is prioritizing risks for treatment using inherent risk ratings. Which TWO factors should be considered when deciding which risks to treat first?

Select 2 answers
A.The asset's replacement value
B.Cost-benefit analysis of potential controls
C.Risk ranking by inherent risk score
D.The risk owner's department budget
E.The number of controls already in place
AnswersB, C

Treatment should be cost-effective relative to risk reduction.

Why this answer

Risk ranking by inherent risk score and cost-benefit analysis of controls are key factors in prioritization.

35
MCQhard

After implementing a set of controls for a critical risk, the residual risk is calculated. The risk owner argues that the residual risk remains high and requires further treatment. Which of the following BEST describes the relationship between inherent risk, control effectiveness, and residual risk?

A.Residual risk = Inherent risk + Control effectiveness
B.Residual risk = Inherent risk - Control effectiveness
C.Residual risk = Inherent risk × (1 - Control effectiveness)
D.Residual risk = Inherent risk / Control effectiveness
AnswerC

This formula correctly represents that controls reduce inherent risk by their effectiveness.

Why this answer

Option C is correct because residual risk is calculated by applying control effectiveness as a percentage reduction to inherent risk. This is the standard formula used in risk management frameworks: Residual Risk = Inherent Risk × (1 - Control Effectiveness). If control effectiveness is 0.8 (80%), then only 20% of the inherent risk remains, reflecting the portion not mitigated by controls.

Exam trap

Cisco often tests the misconception that residual risk is a simple subtraction (inherent risk minus control effectiveness), but the correct relationship is multiplicative because controls reduce risk proportionally, not by a fixed amount.

How to eliminate wrong answers

Option A is wrong because adding control effectiveness to inherent risk would increase the risk, which contradicts the purpose of controls to reduce risk. Option B is wrong because subtracting control effectiveness (a percentage) from inherent risk (a value) is mathematically invalid and does not represent a proportional reduction. Option D is wrong because dividing inherent risk by control effectiveness would increase the residual risk when control effectiveness is less than 1, which is the opposite of the intended effect.

36
MCQeasy

Which of the following best describes residual risk?

A.Risk that is transferred to a third party
B.Risk that is avoided by eliminating the activity
C.Risk without any controls in place
D.Risk after assessing control effectiveness
AnswerD

Residual risk is inherent risk adjusted for controls.

Why this answer

Residual risk is the risk that remains after management has implemented risk responses and assessed the effectiveness of existing controls. It is calculated by considering the inherent risk (risk without controls) and the risk reduction provided by controls, factoring in control gaps or weaknesses. Option D correctly captures this definition by emphasizing the assessment of control effectiveness.

Exam trap

The trap here is confusing inherent risk (risk with no controls) with residual risk (risk after controls), leading candidates to incorrectly select Option C, especially when the question emphasizes 'risk assessment' without explicitly mentioning control evaluation.

How to eliminate wrong answers

Option A is wrong because transferring risk to a third party (e.g., via insurance or outsourcing) is a risk response strategy, not a measure of remaining risk after controls. Option B is wrong because avoiding risk by eliminating the activity is another risk response (risk avoidance), not the residual risk that persists after controls are applied. Option C is wrong because risk without any controls in place is defined as inherent risk, not residual risk; residual risk explicitly accounts for controls that are in place and their effectiveness.

37
MCQeasy

Which risk treatment option involves eliminating the activity that creates the risk?

A.Accept
B.Avoid
C.Transfer
D.Mitigate
AnswerB

Avoidance eliminates the risk by discontinuing the activity.

Why this answer

Risk avoidance means stopping the activity that introduces the risk.

38
MCQmedium

A risk assessment identifies a high-likelihood, high-impact risk associated with a legacy system. The business owner decides to decommission the system to eliminate the risk. Which risk treatment option is being applied?

A.Mitigate
B.Accept
C.Transfer
D.Avoid
AnswerD

By decommissioning the system, the organization avoids the risk entirely.

Why this answer

Avoidance involves eliminating the activity that creates the risk, such as decommissioning a system.

39
MCQhard

In the FAIR model, 'Loss Event Frequency' is calculated as:

A.Threat Event Frequency × Asset Value
B.Threat Event Frequency × Vulnerability
C.Threat Event Frequency × Loss Magnitude
D.Annualized Rate of Occurrence × Single Loss Expectancy
AnswerB

Correct; LEF = TEF × V.

Why this answer

In the FAIR model, Loss Event Frequency (LEF) is the product of Threat Event Frequency (TEF) and Vulnerability (Vuln). This represents how often a threat agent successfully exploits a weakness, making option B correct. The formula is LEF = TEF × Vuln, where Vulnerability is the probability that a threat event will result in a loss.

Exam trap

The trap here is that candidates confuse the FAIR model's Loss Event Frequency with the traditional quantitative risk formula ARO × SLE, leading them to select option D, but FAIR separates frequency from magnitude and uses Vulnerability as a probability factor rather than a direct loss value.

How to eliminate wrong answers

Option A is wrong because Asset Value is used in calculating Loss Magnitude, not Loss Event Frequency; multiplying Threat Event Frequency by Asset Value conflates frequency with impact. Option C is wrong because Loss Magnitude is a separate component in the FAIR model used to derive risk, not a factor in Loss Event Frequency; multiplying TEF by Loss Magnitude would incorrectly combine frequency and impact into a single metric. Option D is wrong because Annualized Rate of Occurrence (ARO) × Single Loss Expectancy (SLE) is the formula for Annualized Loss Expectancy (ALE) in quantitative risk analysis, not Loss Event Frequency in FAIR.

40
MCQhard

An organization uses the FAIR framework to assess the risk of a data breach. The risk analyst estimates that the Threat Event Frequency (TEF) is 10 per year, the Vulnerability (V) is 0.2, the Primary Loss per event is $50,000, and the Secondary Loss per event is $30,000. What is the Annualized Loss Expectancy (ALE)?

A.$100,000
B.$800,000
C.$160,000
D.$80,000
AnswerC

Correct calculation: LEF=2, LM=$80,000, ALE=$160,000.

Why this answer

ALE = LEF × LM. LEF = TEF × V = 10 × 0.2 = 2. LM = Primary Loss + Secondary Loss = $50,000 + $30,000 = $80,000.

ALE = 2 × $80,000 = $160,000.

41
Multi-Selecthard

An organization is conducting a risk assessment and finds that the inherent risk for a critical asset is very high due to a high threat event frequency and high vulnerability. The current controls are assessed as adequate in design but not operating effectively. Which THREE of the following should be considered when calculating residual risk?

Select 3 answers
A.Inherent risk score
B.Control design adequacy
C.Cost-benefit analysis of controls
D.Control operating effectiveness
E.Risk appetite statement
AnswersA, B, D

Residual risk is based on inherent risk reduced by controls.

Why this answer

Inherent risk score (A) is correct because residual risk is calculated by considering the inherent risk level and the effectiveness of controls in reducing that risk. Since the inherent risk is very high due to high threat frequency and vulnerability, this baseline score must be factored into the residual risk calculation to determine the remaining risk after controls are applied.

Exam trap

The trap here is that candidates often confuse risk appetite (E) as a direct input to residual risk calculation, when it is actually a threshold for evaluating residual risk, not a component of its calculation.

42
MCQmedium

An organization uses the FAIR framework to calculate annualized loss expectancy (ALE) for a specific risk. Given that the single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 0.2, what is the ALE?

A.$250,000
B.$100,000
C.$10,000
D.$50,000
AnswerC

Correctly calculated: $50,000 × 0.2 = $10,000.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Given SLE = $50,000 and ARO = 0.2, the ALE is $50,000 × 0.2 = $10,000. This aligns with the FAIR framework's quantitative risk analysis formula.

Exam trap

The trap here is that candidates often confuse the ALE formula with the SLE formula or misplace the decimal point in ARO (0.2 vs. 2.0), leading to inflated values like $100,000 or $250,000.

How to eliminate wrong answers

Option A ($250,000) is wrong because it incorrectly divides SLE by ARO ($50,000 / 0.2) instead of multiplying, a common arithmetic reversal. Option B ($100,000) is wrong because it multiplies SLE by 2 (a misinterpretation of ARO as 2.0) rather than by the correct factor of 0.2. Option D ($50,000) is wrong because it assumes ARO = 1.0, ignoring the given 0.2 frequency and treating the loss as occurring once per year.

43
Multi-Selecthard

Which TWO of the following are considered direct costs in the financial impact assessment of a risk event?

Select 2 answers
A.Increased insurance premium
B.Reputation loss
C.Incident response team expenses
D.Lost business opportunities
E.Customer notification costs
AnswersC, E

Direct cost.

Why this answer

Incident response team expenses (C) are direct costs because they are immediate, quantifiable outlays incurred specifically to respond to and mitigate a risk event. Similarly, customer notification costs (E) are direct costs as they represent mandatory, traceable expenditures for informing affected parties, often required by regulations like GDPR or HIPAA. These costs are directly attributable to the incident and can be precisely measured.

Exam trap

The trap here is that candidates often confuse indirect costs (like reputation loss or increased premiums) with direct costs, failing to recognize that direct costs must be immediate, quantifiable, and directly attributable to the incident response activities.

44
MCQeasy

A risk manager is using a 5x5 heat map to assess IT risks. Which of the following best describes the primary limitation of this qualitative risk analysis approach?

A.It requires extensive historical data to be accurate.
B.It is time-consuming and complex to implement.
C.It is subjective and not comparable across organizations.
D.It provides objective, financially meaningful results.
AnswerC

Correct. The subjective nature limits comparability.

Why this answer

Qualitative risk analysis using heat maps is subjective and results are not comparable across different organizations due to varying risk appetites and cultural interpretations.

45
MCQmedium

Which of the following best describes the primary limitation of qualitative risk analysis?

A.It requires extensive historical data
B.It is subjective and not comparable across organizations
C.It cannot produce financial loss estimates
D.It is time-consuming and complex
AnswerB

Subjectivity and lack of comparability are key limitations.

Why this answer

Qualitative analysis is subjective and relies on ordinal scales, making results not directly comparable across different organizations.

46
Multi-Selecthard

A quantitative risk analysis using FAIR requires estimating which THREE primary factors?

Select 3 answers
A.Risk appetite
B.Vulnerability
C.Loss magnitude
D.Threat event frequency
E.Control cost
AnswersB, C, D

Correct; vulnerability is the probability that threat can exploit.

Why this answer

FAIR decomposes risk into threat event frequency, vulnerability, and loss magnitude. These are the main input factors for calculating risk.

47
MCQmedium

When prioritizing risk treatment actions, which of the following should be the primary consideration?

A.Ease of implementation
B.Compliance requirements only
C.Risk level and cost-benefit analysis
D.Risk owner preference
AnswerC

High-risk items with favorable cost-benefit should be prioritized.

Why this answer

Prioritization should be based on the risk level (score) and the cost-benefit analysis of controls to ensure efficient resource allocation.

48
Multi-Selectmedium

A risk analyst is assessing the impact of a potential ransomware attack. Which THREE categories of business impact should be considered?

Select 3 answers
A.Geographic diversity
B.Operational downtime
C.Financial losses (direct and indirect)
D.Technical complexity
E.Regulatory fines
AnswersB, C, E

Correct; operational impact affects productivity.

Why this answer

Operational downtime (B) is a direct consequence of a ransomware attack, as encryption of critical systems halts business processes, leading to lost productivity and revenue. This category is essential for impact assessment because it quantifies the duration and scope of service disruption, which directly affects operational continuity.

Exam trap

The trap here is confusing risk factors (like technical complexity or geographic diversity) with impact categories, leading candidates to select options that describe the attack's nature or mitigation rather than its direct business consequences.

49
MCQeasy

Which of the following is an example of a detective control in IT risk management?

B.Data encryption
C.Backup restoration
D.Intrusion Detection System (IDS)
AnswerD

Correct. IDS detects intrusions after they occur.

Why this answer

Detective controls identify risk events after they occur. Intrusion Detection Systems (IDS) monitor network traffic to detect malicious activity.

50
MCQmedium

A risk manager decides to accept a risk because the cost of controls exceeds the potential loss. Which of the following is required for this risk treatment option?

A.Elimination of the business process
B.Transfer of risk via insurance
C.Implementation of compensating controls
D.Formal sign-off by the risk owner
AnswerD

Acceptance requires documented acceptance by the risk owner.

Why this answer

When a risk manager decides to accept a risk because the cost of controls exceeds the potential loss, the risk treatment option is risk acceptance. This requires formal acknowledgment and sign-off by the risk owner, who is accountable for the risk and must document the decision, typically in a risk register, to ensure governance and auditability.

Exam trap

The trap here is that candidates confuse risk acceptance with risk mitigation or transfer, assuming that any decision involving cost analysis must lead to controls or insurance, but the question explicitly states the cost of controls exceeds the potential loss, making formal acceptance the correct treatment option.

How to eliminate wrong answers

Option A is wrong because elimination of the business process is a risk avoidance strategy, not acceptance; it would remove the risk entirely by discontinuing the activity, which is a different treatment option. Option B is wrong because transfer of risk via insurance shifts the financial impact to a third party, but the question specifies acceptance due to cost-benefit analysis, not transfer. Option C is wrong because implementation of compensating controls is a risk mitigation strategy that reduces risk to an acceptable level, whereas acceptance involves no additional controls and relies on the existing risk level being tolerated.

51
Multi-Selecteasy

In a qualitative risk assessment, which TWO elements are typically used to determine the risk rating?

Select 2 answers
A.Likelihood
B.Impact
C.Risk appetite
D.Cost of mitigation
E.Control effectiveness
AnswersA, B

Likelihood is one dimension of risk.

Why this answer

In a qualitative risk assessment, risk rating is determined by combining the likelihood of a threat occurring with the impact of that threat on business objectives. Likelihood (A) and impact (B) are the two fundamental elements used in a risk matrix to assign a qualitative rating such as high, medium, or low. This approach relies on subjective judgment rather than numerical data, making it suitable for scenarios where precise quantification is not feasible.

Exam trap

The trap here is that candidates often confuse the inputs for inherent risk rating (likelihood and impact) with factors used in residual risk calculation or risk treatment decisions, such as control effectiveness or cost of mitigation.

52
MCQmedium

In a qualitative risk assessment, a risk owner argues that the likelihood of a cyberattack is low because the organization has strong perimeter defenses. However, the analyst notes that the impact would be catastrophic. Which limitation of qualitative analysis is most relevant?

A.It relies on subjective judgments
B.It is not comparable across organizations
C.It is time-consuming and data-intensive
D.It does not produce financial values
AnswerA

Correct; subjective interpretation of likelihood and impact can vary.

Why this answer

Qualitative analysis is subjective; different stakeholders may interpret likelihood and impact differently based on their perspectives. The risk owner's judgment may be biased by existing controls.

53
Multi-Selectmedium

An organization is evaluating risk treatment options for a critical vulnerability. Which TWO options would be considered risk mitigation?

Select 2 answers
A.Purchase cyber insurance
B.Accept the risk with formal sign-off
C.Discontinue the vulnerable service
E.Implement a security patch
AnswersD, E

IPS reduces likelihood of successful attack.

Why this answer

Deploying an intrusion prevention system (IPS) is a risk mitigation measure because it actively monitors and blocks malicious traffic targeting the vulnerability, reducing the likelihood of exploitation. Implementing a security patch directly removes the vulnerability, thereby reducing both the likelihood and impact of a potential attack. Both actions modify the risk by applying technical controls to lower the residual risk level.

Exam trap

The trap here is confusing risk mitigation (reducing likelihood/impact through controls) with risk transfer (insurance), risk acceptance (formal sign-off), or risk avoidance (discontinuing the service), which are distinct treatment options in the CRISC risk response framework.

54
MCQeasy

Which risk treatment option is being used when an organization decides to stop a business activity that creates a high-risk exposure?

A.Avoid
B.Accept
C.Mitigate
D.Transfer
AnswerA

Correct; avoidance eliminates the risk by discontinuing the activity.

Why this answer

When an organization stops a business activity that creates high-risk exposure, it is applying the risk avoidance treatment option. This is a deliberate decision to eliminate the risk entirely by discontinuing the associated process, system, or operation, rather than attempting to reduce or transfer the residual risk. In IT risk management, avoidance is often chosen when the cost or impact of mitigation exceeds the benefit of the activity, or when the risk level is intolerable under any control scenario.

Exam trap

The trap here is that candidates often confuse 'avoid' with 'mitigate,' thinking that any action to reduce risk is avoidance, but CRISC specifically tests that avoidance means completely eliminating the risk by discontinuing the activity, not just applying controls to lower it.

How to eliminate wrong answers

Option B (Accept) is wrong because risk acceptance involves acknowledging the risk and its potential impact without taking action to reduce it, which is the opposite of stopping the activity. Option C (Mitigate) is wrong because mitigation involves implementing controls to reduce the likelihood or impact of the risk while continuing the activity, not ceasing it entirely. Option D (Transfer) is wrong because risk transfer shifts the financial burden of the risk to a third party (e.g., via insurance or outsourcing) but does not stop the underlying business activity or eliminate the operational exposure.

55
MCQmedium

An organization is considering purchasing cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

A.Accept
B.Transfer
C.Avoid
D.Mitigate
AnswerB

Correct; insurance transfers financial risk to the insurer.

Why this answer

Transferring risk to a third party, such as an insurance company, is a risk transfer strategy. The insurance company assumes the financial risk in exchange for premiums.

56
MCQeasy

An organization is evaluating the risk of a data breach using the FAIR framework. Which of the following components is part of Loss Event Frequency (LEF)?

A.Threat Event Frequency
B.Annualized Loss Expectancy
C.Primary Loss
D.Secondary Loss
AnswerA

Threat Event Frequency is a factor in LEF.

Why this answer

In FAIR, Loss Event Frequency = Threat Event Frequency × Vulnerability.

57
MCQmedium

During an IT risk assessment, the risk team calculates the Annualized Loss Expectancy (ALE) for a critical application. Which quantitative risk analysis framework is most commonly used for this calculation?

A.NIST SP 800-30
B.FAIR
C.ISO 31000
D.COBIT 5
AnswerB

FAIR is a quantitative framework that models risk as a function of Loss Event Frequency and Loss Magnitude, used to compute ALE.

Why this answer

The Factor Analysis of Information Risk (FAIR) framework is the most commonly used quantitative risk analysis framework for calculating Annualized Loss Expectancy (ALE) because it provides a structured, probabilistic approach to decompose risk into loss event frequency and loss magnitude. Unlike qualitative frameworks, FAIR enables precise ALE computation by modeling threat event frequency, vulnerability, and probable loss, making it the standard for quantitative IT risk assessments in the CRISC domain.

Exam trap

The trap here is that candidates often confuse NIST SP 800-30 as the standard for quantitative ALE calculation because it is widely used for risk assessments, but it is primarily qualitative and does not provide the specific quantitative decomposition that FAIR does.

How to eliminate wrong answers

Option A is wrong because NIST SP 800-30 is primarily a qualitative risk assessment framework that provides guidelines for conducting risk assessments but does not define the specific quantitative formulas (like ALE = SLE × ARO) or the probabilistic decomposition required for ALE calculation. Option C is wrong because ISO 31000 is a generic risk management standard that outlines principles and processes for any organization, but it does not prescribe a specific quantitative methodology or formula for calculating ALE. Option D is wrong because COBIT 5 is a governance and management framework for enterprise IT that focuses on control objectives and process maturity, not on quantitative risk analysis calculations like ALE.

58
Multi-Selectmedium

A risk analyst is performing a quantitative risk analysis using the FAIR framework. Which TWO factors are multiplied to calculate Loss Event Frequency (LEF)?

Select 2 answers
A.Loss Magnitude
B.Annualized Rate of Occurrence
C.Threat Event Frequency
D.Single Loss Expectancy
E.Vulnerability
AnswersC, E

TEF is one component of LEF.

Why this answer

LEF = Threat Event Frequency (TEF) × Vulnerability (V).

59
MCQhard

In the FAIR framework, which of the following correctly represents the calculation of Loss Event Frequency (LEF)?

A.LEF = Threat Event Frequency × Vulnerability
B.LEF = Threat Event Frequency + Vulnerability
C.LEF = Asset Value × Vulnerability
D.LEF = Annualized Rate of Occurrence × Single Loss Expectancy
AnswerA

Correct formula.

Why this answer

In the FAIR (Factor Analysis of Information Risk) framework, Loss Event Frequency (LEF) is calculated as the product of Threat Event Frequency (TEF) and Vulnerability (Vuln). This reflects that the frequency of loss events depends on how often a threat event occurs and the probability that the threat event will result in a loss, which is the vulnerability component. The multiplication captures the dependency: even if threats are frequent, low vulnerability reduces LEF, and vice versa.

Exam trap

The trap here is that candidates often confuse LEF with ALE or mistakenly think vulnerability is additive, leading them to choose Option B or D, but FAIR explicitly defines LEF as a product of TEF and vulnerability, not a sum or a monetary metric.

How to eliminate wrong answers

Option B is wrong because LEF is not a sum of Threat Event Frequency and Vulnerability; addition would incorrectly imply that vulnerability adds to frequency rather than acting as a probabilistic multiplier. Option C is wrong because Asset Value is not part of LEF calculation; it is used in Loss Magnitude (LM) to compute risk, not in frequency estimation. Option D is wrong because Annualized Rate of Occurrence (ARO) × Single Loss Expectancy (SLE) is the formula for Annualized Loss Expectancy (ALE) in quantitative risk analysis, not LEF in FAIR; LEF is a frequency metric, not a monetary loss calculation.

60
Multi-Selecteasy

When performing a risk assessment, which TWO of the following are components of inherent risk?

Select 2 answers
A.Residual risk level
B.Impact of the risk event
C.Control effectiveness
D.Likelihood of a threat event
E.Cost-benefit analysis of controls
AnswersB, D

Inherent risk includes impact.

Why this answer

Inherent risk considers likelihood and impact without controls.

61
Multi-Selectmedium

A risk assessment for a cloud migration identifies high inherent risk. The risk practitioner evaluates controls. Which TWO components are necessary to calculate residual risk?

Select 3 answers
A.Control operating effectiveness
B.Likelihood of threat events
C.Control design adequacy
D.Financial impact of the risk
E.Inherent risk level
AnswersA, C, E

Operating effectiveness is also part of control effectiveness.

Why this answer

Control operating effectiveness is necessary to calculate residual risk because it measures how well a control actually reduces risk in practice. Even if a control is well-designed, poor implementation or maintenance can leave residual risk higher than expected. This aligns with the CRISC formula: Residual Risk = Inherent Risk × (1 - Control Effectiveness).

Exam trap

Cisco often tests the distinction between inherent risk components (likelihood, impact) and residual risk components (control design adequacy, operating effectiveness), trapping candidates who confuse inputs for inherent risk with those needed for residual risk calculation.

62
MCQmedium

A company's risk assessment identifies that a threat actor has high capability and motivation to exploit a vulnerability. Which factor does this relate to?

A.Likelihood assessment
B.Risk appetite
C.Control effectiveness
D.Impact assessment
AnswerA

Threat actor characteristics influence how likely an attack is.

Why this answer

Threat actor capability and motivation are factors in likelihood assessment.

63
MCQeasy

An IT risk assessment team is using a 5×5 risk matrix with likelihood and impact ratings. A risk scenario is rated as likelihood = 4 (likely) and impact = 5 (catastrophic). According to the typical heat map, what would be the risk rating?

A.Critical
B.High
C.Medium
D.Low
AnswerA

Correct; likelihood 4 × impact 5 = 20, which corresponds to critical risk.

Why this answer

In a 5×5 matrix, likelihood 4 and impact 5 give a product of 20, which is typically in the 'critical' range. Common thresholds: 1-5 low, 6-10 medium, 11-15 high, 16-25 critical.

64
MCQeasy

Which of the following is a detective control for an information system?

A.Data backup
B.Encryption
AnswerD

IDS detects attacks or policy violations.

Why this answer

An intrusion detection system (IDS) is a detective control because it monitors network traffic or system activity for malicious actions or policy violations and generates alerts when such events occur. Unlike preventive controls, an IDS does not block or stop the attack; it detects and reports it after the fact, enabling incident response.

Exam trap

The trap here is confusing detective controls (which identify incidents after they occur) with preventive controls (which stop incidents before they happen), leading candidates to mistakenly classify firewalls or encryption as detective.

How to eliminate wrong answers

Option A is wrong because data backup is a corrective/recovery control, not detective; it restores data after a loss but does not detect ongoing threats. Option B is wrong because encryption is a preventive control that protects data confidentiality by encoding it, but it does not detect unauthorized access or attacks. Option C is wrong because a firewall is a preventive control that enforces access policies by blocking or allowing traffic based on rules, but it does not actively detect or alert on suspicious activity.

65
MCQhard

An organization calculated the inherent risk for a critical system as 'High' using a 5x5 heat map. After implementing controls, the residual risk is assessed as 'Medium'. What does this indicate about the control effectiveness?

A.Controls are fully effective and risk is now acceptable
B.Controls are ineffective and need replacement
C.Controls are partially effective, reducing risk but not to the target level
D.Residual risk should equal inherent risk if controls are effective
AnswerC

The risk dropped from High to Medium, showing partial effectiveness.

Why this answer

The movement from 'High' inherent risk to 'Medium' residual risk indicates that the implemented controls have reduced the risk level by one step on the 5x5 heat map, but have not eliminated it entirely. Since the residual risk is still 'Medium' rather than 'Low' or 'Very Low', the controls are only partially effective—they mitigate some of the risk but do not bring it down to the organization's target risk appetite or tolerance level.

Exam trap

The trap here is that candidates assume any reduction in risk means controls are fully effective and risk is acceptable, but CRISC requires you to compare residual risk against the organization's specific risk appetite and target level, not just the inherent risk baseline.

How to eliminate wrong answers

Option A is wrong because 'fully effective' controls would reduce the risk to the organization's target level (often 'Low' or 'Very Low'), not leave it at 'Medium'; residual risk being 'Medium' means the risk is not yet acceptable unless the target is explicitly 'Medium'. Option B is wrong because 'ineffective' controls would result in residual risk remaining at 'High' or possibly increasing, not dropping to 'Medium'; a reduction in risk level proves some effectiveness. Option D is wrong because if controls are effective, residual risk should be lower than inherent risk, not equal; equal residual risk would mean controls have zero effect, which contradicts the observed reduction from 'High' to 'Medium'.

66
MCQeasy

Which risk treatment option involves eliminating the activity that creates the risk?

A.Transfer
B.Mitigate
C.Accept
D.Avoid
AnswerD

Avoidance eliminates the risk by stopping the activity.

Why this answer

Risk avoidance means avoiding the risk by discontinuing the activity that generates it.

67
MCQmedium

A bank is evaluating the impact of a potential system outage. Which of the following is an example of a direct financial cost associated with this impact?

A.Share price decline
B.Regulatory fines
C.Loss of customer trust
D.Cost of system restoration
AnswerD

System restoration is a direct cost of the outage.

Why this answer

Direct financial costs include incident response, recovery, and notification costs.

68
MCQhard

An organization has implemented a firewall (preventive), intrusion detection system (detective), and a backup restoration plan (corrective) to address a specific risk. The risk manager assesses the control effectiveness as follows: design adequacy is strong, but operating effectiveness is weak due to inconsistent patching. Which of the following best describes the residual risk?

A.Residual risk cannot be determined without a quantitative analysis
B.Residual risk is negligible because multiple controls are in place
C.Residual risk is lower than inherent risk but still significant due to weak operating effectiveness
D.Residual risk is equal to inherent risk because controls are ineffective
AnswerC

Controls reduce risk but weak operating effectiveness limits the reduction.

Why this answer

Residual risk is inherent risk adjusted for control effectiveness. Weak operating effectiveness means controls are not fully effective, so residual risk remains relatively high.

69
MCQeasy

Which risk treatment option involves purchasing cyber insurance?

A.Avoid
B.Transfer
C.Mitigate
D.Accept
AnswerB

Insurance transfers the financial risk to a third party.

Why this answer

Cyber insurance is a form of risk transfer, where the financial impact of a loss is shifted to the insurer.

70
MCQmedium

After implementing a set of controls, the risk owner calculates the residual risk. Which of the following is true about residual risk?

A.It is the risk that remains after controls are applied
B.It is not considered in risk treatment decisions
C.It is always higher than inherent risk
D.It is the risk before any controls are implemented
AnswerA

Residual risk = inherent risk adjusted for control effectiveness.

Why this answer

Residual risk is the risk remaining after controls are applied, and it should be within the risk appetite.

71
Multi-Selecthard

A risk manager is evaluating the impact assessment for a potential data breach. Which THREE categories of impact should be considered in a comprehensive business impact analysis?

Select 3 answers
A.Technological impact (obsolescence of hardware)
B.Environmental impact (pollution, waste)
C.Operational impact (system downtime, productivity loss)
D.Regulatory impact (fines, mandatory remediation)
E.Financial impact (direct and indirect costs)
AnswersC, D, E

Operational impact is a key category.

Why this answer

Comprehensive impact assessment includes financial, operational, regulatory, and reputational categories. The question asks for three, and the correct ones are financial, regulatory, and reputational (or operational, any three of the four are acceptable; here we choose financial, regulatory, and reputational).

72
MCQmedium

Which control type is primarily focused on identifying that a risk event has occurred?

A.Compensating
B.Preventive
C.Detective
D.Corrective
AnswerC

Detective controls identify that an event has occurred, e.g., logs, IDS.

Why this answer

Detective controls are designed to detect incidents after they happen.

73
MCQmedium

A quantitative risk analysis for a data breach yields an Annualized Loss Expectancy (ALE) of $500,000. The Single Loss Expectancy (SLE) is $100,000. What is the Annualized Rate of Occurrence (ARO)?

A.5
B.50
C.0.2
D.500,000
AnswerA

Correct. ARO = ALE / SLE = 5.

Why this answer

The Annualized Loss Expectancy (ALE) is calculated as Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO). Given ALE = $500,000 and SLE = $100,000, the ARO is $500,000 / $100,000 = 5. This means the data breach is expected to occur 5 times per year.

Exam trap

The trap here is that candidates often confuse the formula and incorrectly divide SLE by ALE (yielding 0.2) instead of dividing ALE by SLE, or they misplace decimal points when calculating the rate.

How to eliminate wrong answers

Option B (50) is wrong because it would result from incorrectly multiplying SLE by 10 or misplacing a decimal, not from the correct division of ALE by SLE. Option C (0.2) is wrong because it represents the inverse calculation (SLE divided by ALE), which would imply the breach occurs once every 5 years, not 5 times per year. Option D (500,000) is wrong because it simply repeats the ALE value, ignoring the need to divide by SLE to derive the ARO.

74
MCQhard

A company uses cyber insurance to cover losses from data breaches. This is an example of which risk treatment?

A.Avoid
B.Transfer
C.Mitigate
D.Accept
AnswerB

Insurance transfers financial risk to the insurer.

Why this answer

Transfer shifts risk to a third party, such as an insurance company.

75
MCQmedium

When prioritizing risk treatment actions, which of the following should be the primary consideration?

A.Ease of implementation
B.Regulatory compliance only
C.Risk level and cost-benefit analysis
D.Risk owner preference
AnswerC

Correct; prioritize high risk with favorable cost-benefit.

Why this answer

Risk prioritization should balance the risk level (high vs low) and the cost-benefit of controls. High risks with cost-effective controls should be prioritized.

Page 1 of 2 · 140 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Crisc Risk Assessment questions.

CCNA Crisc Risk Assessment Questions — Page 1 of 2 | Courseiva