CCNA Crisc Risk Assessment Questions

65 of 140 questions · Page 2/2 · Crisc Risk Assessment topic · Answers revealed

76
MCQhard

In a quantitative risk analysis, the annualized loss expectancy (ALE) is calculated as $1 million. If the organization implements a control that reduces the ARO from 0.5 to 0.1, and the SLE remains constant at $2 million, what is the new ALE?

A.$200,000
B.$500,000
C.$100,000
D.$1 million
AnswerA

Correct: $2M × 0.1 = $200,000.

Why this answer

The annualized loss expectancy (ALE) is calculated as SLE × ARO. With SLE constant at $2 million and the new ARO reduced to 0.1, the new ALE is $2,000,000 × 0.1 = $200,000. This reflects the residual risk after the control is implemented.

Exam trap

The trap here is that candidates may mistakenly apply the reduction to the ALE itself (e.g., subtracting 0.4 of $1 million) instead of recalculating ALE with the new ARO, or they may confuse ARO with a percentage and incorrectly compute $2 million × 0.1 = $200,000 as 'too small' and pick a larger wrong value.

How to eliminate wrong answers

Option B ($500,000) is wrong because it incorrectly uses the original ARO (0.5) with the new ALE calculation, or it misapplies the reduction factor as a simple subtraction rather than multiplication. Option C ($100,000) is wrong because it likely results from dividing SLE by the new ARO (2,000,000 / 0.1 = 20,000,000) and then misplacing a decimal, or from confusing ARO with a percentage reduction. Option D ($1 million) is wrong because it represents the original ALE (2,000,000 × 0.5 = 1,000,000) and ignores the control's effect on ARO.

77
MCQmedium

An organization is evaluating the risk of a data breach using the FAIR framework. The threat event frequency is estimated at 10 per year, the vulnerability is 0.2, and the loss magnitude is $500,000 per event. What is the annualized loss expectancy (ALE)?

A.$500,000
B.$1,000,000
C.$5,000,000
D.$100,000
AnswerB

Correct calculation: ALE = (10 × 0.2) × $500,000 = $1,000,000.

Why this answer

ALE = ARO × SLE. In FAIR, LEF = TEF × Vulnerability = 10 × 0.2 = 2 events per year. SLE is the loss magnitude per event, $500,000.

ALE = 2 × $500,000 = $1,000,000.

78
MCQmedium

A risk assessment report includes both inherent and residual risk ratings. The inherent risk for a process is rated as 'high' based on a 5×5 heat map. After applying a set of controls, the residual risk is rated as 'medium'. What does this indicate about the control effectiveness?

A.Controls increased the risk level.
B.Controls are fully effective and eliminate all risk.
C.Controls are not effective at all.
D.Controls are partially effective in reducing risk.
AnswerD

The risk dropped from high to medium, showing partial effectiveness.

Why this answer

The reduction from high to medium indicates that controls are partially effective in reducing risk, but not completely.

79
Multi-Selectmedium

A company is prioritizing risk treatment actions. Which THREE factors should be considered when prioritizing risks?

Select 3 answers
A.Industry best practices
B.Cost-benefit analysis of controls
C.Residual risk after control implementation
D.Risk level (inherent or residual)
E.Number of vulnerabilities
AnswersB, C, D

Cost-benefit helps determine which treatments provide the best value.

Why this answer

Option B is correct because cost-benefit analysis ensures that the resources invested in controls are justified by the reduction in risk, which is a core principle of risk management. Without this analysis, an organization might over-invest in low-impact risks or under-invest in high-impact ones, leading to inefficient allocation of budget and effort.

Exam trap

The trap here is that candidates confuse 'number of vulnerabilities' (a technical count) with 'risk level' (which incorporates impact and likelihood), leading them to select Option E instead of recognizing that risk level is the primary driver for prioritization.

80
Multi-Selectmedium

An organization is evaluating whether to accept a risk. Which TWO conditions must be met for risk acceptance to be appropriate?

Select 2 answers
A.The risk can be transferred to an insurer
B.The risk owner formally documents and accepts the risk
C.The risk is high but unavoidable
D.A cost-effective control is available
E.The risk is within the organization's risk appetite
AnswersB, E

Correct; formal sign-off is required.

Why this answer

Acceptance requires that the risk is within the organization's risk appetite and that the risk owner formally documents and signs off the acceptance. It is not appropriate if controls are available or if the risk exceeds appetite.

81
MCQmedium

A risk assessment identifies a vulnerability in a critical application. The threat actor is a script kiddie with low capability. Using the FAIR framework, which factor would most directly increase the Loss Event Frequency (LEF)?

A.Reducing the vulnerability severity
B.Decreasing the threat event frequency
C.Increasing the vulnerability severity
D.Increasing the threat actor's motivation
AnswerC

Correct. Higher vulnerability severity increases LEF.

Why this answer

Loss Event Frequency (LEF) in FAIR is directly influenced by the probability that a threat agent will act against a vulnerability. Increasing the vulnerability severity makes the application more susceptible to exploitation, thereby raising the likelihood of a loss event occurring, even if the threat actor has low capability.

Exam trap

The trap here is that candidates confuse 'threat actor motivation' with 'vulnerability severity' as the primary driver of LEF, but FAIR separates motivation into TEF, while vulnerability severity directly impacts the probability of a successful loss event.

How to eliminate wrong answers

Option A is wrong because reducing vulnerability severity would decrease the susceptibility of the application, which lowers LEF, not increases it. Option B is wrong because decreasing threat event frequency reduces the number of attack attempts, which directly lowers LEF, contrary to the goal of increasing it. Option D is wrong because increasing the threat actor's motivation does not directly affect LEF; motivation influences Threat Event Frequency (TEF) and the probability of action, but LEF is more directly tied to vulnerability severity and the ability to exploit it.

82
MCQmedium

In a quantitative risk analysis using FAIR, which of the following best represents Loss Magnitude (LM)?

A.Primary Loss + Secondary Loss
B.Single Loss Expectancy (SLE)
C.Threat Event Frequency × Vulnerability
D.Annualized Loss Expectancy (ALE)
AnswerA

Correct. LM = Primary Loss + Secondary Loss in FAIR.

Why this answer

In FAIR, Loss Magnitude (LM) is the sum of Primary Loss (direct costs) and Secondary Loss (indirect costs) resulting from a loss event.

83
MCQmedium

A company is considering outsourcing its data center operations to a cloud provider. Which risk treatment option is the company primarily exercising?

A.Risk avoidance
B.Risk mitigation
C.Risk transfer
D.Risk acceptance
AnswerC

Correct. Outsourcing transfers risk to the cloud provider.

Why this answer

Outsourcing shifts the risk of managing the data center to a third party, which is risk transfer. Contractual liability may also be transferred.

84
MCQeasy

An organization decides to discontinue a high-risk business process that cannot be effectively mitigated. This is an example of which risk treatment option?

A.Risk acceptance
B.Risk transfer
C.Risk mitigation
D.Risk avoidance
AnswerD

Correct. Discontinuing the process avoids the risk.

Why this answer

Avoidance involves eliminating the activity that creates the risk, thus removing the risk entirely.

85
MCQmedium

A risk analyst uses a 5x5 heat map to evaluate a set of IT risks. For a particular risk, the likelihood is rated as 4 (likely) and impact as 5 (very high). What is the resulting risk rating?

A.Low
B.Medium
C.Critical
D.High
AnswerC

Critical is the highest category, typically scores 16-25.

Why this answer

In a 5x5 heat map, risk rating is typically the product or sum of likelihood and impact. With likelihood 4 and impact 5, the product is 20, which falls in the critical category.

86
MCQeasy

Which of the following is an example of a corrective control?

A.Incident response plan
C.Security awareness training
D.Log monitoring
AnswerA

Correct; incident response corrects after an incident.

Why this answer

Corrective controls respond to and recover from risk events. Incident response procedures are corrective because they address incidents after they occur.

87
MCQeasy

A risk practitioner is using a 5×5 heat map with likelihood and impact ratings. Which of the following is a key advantage of this qualitative risk analysis approach?

A.It provides objective, financially meaningful results.
B.It eliminates the need for expert judgment in risk assessment.
C.It is quick and easy to communicate to stakeholders.
D.It allows direct comparison of risk levels across different organizations.
AnswerC

Heat maps are simple to understand and can be produced rapidly.

Why this answer

Option C is correct because qualitative risk analysis using a 5×5 heat map is designed to be quick to perform and easy to communicate visually to non-technical stakeholders. The color-coded matrix (e.g., red for high risk, green for low risk) allows immediate understanding of risk priorities without requiring complex calculations, making it ideal for initial risk assessments and board-level reporting.

Exam trap

The trap here is that candidates often confuse qualitative analysis with providing objective financial data (Option A), but qualitative methods like heat maps are inherently subjective and ordinal, not monetary.

How to eliminate wrong answers

Option A is wrong because qualitative analysis does not provide objective, financially meaningful results; it relies on subjective ordinal scales (e.g., high, medium, low) rather than monetary values or quantitative metrics like Annualized Loss Expectancy (ALE). Option B is wrong because qualitative analysis heavily depends on expert judgment to assign likelihood and impact ratings; it does not eliminate the need for expertise. Option D is wrong because the 5×5 heat map uses organization-specific definitions for likelihood and impact scales, which are not standardized across different organizations, preventing direct comparison of risk levels.

88
Multi-Selecthard

A risk practitioner is calculating the residual risk for a critical asset. Which THREE factors should be considered?

Select 3 answers
A.Cost of controls
B.Control design adequacy
C.Risk appetite
D.Inherent risk level
E.Control operating effectiveness
AnswersB, D, E

Design adequacy determines if controls can address the risk.

Why this answer

Residual risk is the risk remaining after controls are applied. To calculate it, you must know the inherent risk level (the risk before controls) and then assess how effectively controls reduce that risk. Control design adequacy and operating effectiveness determine how much the inherent risk is mitigated, directly impacting the residual risk calculation.

Exam trap

The trap here is confusing factors that influence the decision to accept residual risk (like risk appetite and cost of controls) with the direct inputs required to calculate the residual risk level itself.

89
MCQmedium

A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?

A.Ease of implementing controls
B.Risk level (inherent or residual)
C.Cost of controls
D.Business unit manager's preference
AnswerB

Higher risk levels warrant higher priority.

Why this answer

Risk prioritization is primarily based on the level of risk (inherent or residual) to allocate resources to the most critical risks. Ease of mitigation, cost, and business unit preference are secondary.

90
MCQeasy

Which of the following is a limitation of qualitative risk analysis?

A.It cannot be used for regulatory compliance.
B.It provides subjective results that are not comparable across organizations.
C.It requires specialized software to perform.
D.It is too data-intensive and time-consuming.
AnswerB

Subjectivity and lack of comparability are key limitations.

Why this answer

Qualitative analysis is subjective and results may not be comparable across different organizations due to varying risk appetites and interpretations.

91
MCQmedium

An organization is evaluating the risk of a ransomware attack. Using the FAIR framework, which of the following components directly multiplies to calculate Loss Event Frequency (LEF)?

A.Control Effectiveness and Residual Risk
B.Annual Loss Expectancy and Single Loss Expectancy
C.Primary Loss and Secondary Loss
D.Threat Event Frequency and Vulnerability
AnswerD

Correct. LEF = TEF × Vulnerability.

Why this answer

In FAIR, Loss Event Frequency (LEF) is calculated as Threat Event Frequency (TEF) multiplied by Vulnerability (V).

92
MCQhard

After implementing controls for a high-risk IT process, the residual risk is calculated as medium. The risk owner argues that the controls are not adequate because the inherent risk was critical. Which of the following should be the primary basis for determining control adequacy?

A.The number of controls implemented
B.The reduction from inherent risk to residual risk based on control effectiveness
C.The cost of controls relative to the asset value
D.The industry standards for similar processes
AnswerB

Correct. Adequacy is measured by how effectively controls reduce risk.

Why this answer

Control adequacy is determined by assessing both design adequacy and operating effectiveness, which together reduce inherent risk to the desired residual risk level.

93
MCQhard

In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?

A.Vulnerability
B.Loss Event Frequency (LEF)
C.Annualized Rate of Occurrence (ARO)
D.Threat Event Frequency (TEF)
AnswerD

TEF measures how often a threat agent acts.

Why this answer

In the FAIR model, Threat Event Frequency (TEF) is the component that estimates how often, within a given timeframe, a threat agent (such as a hacker or malware) will initiate an action against an asset. This directly matches the question's definition of 'probable frequency that a threat agent will act against an asset.' TEF is a primary input for calculating Loss Event Frequency (LEF) and ultimately risk.

Exam trap

The trap here is that candidates confuse Loss Event Frequency (LEF) with Threat Event Frequency (TEF), because LEF is the more commonly cited output in risk reports, but the question specifically asks for the frequency of the threat agent acting, not the resulting loss event.

How to eliminate wrong answers

Option A is wrong because Vulnerability represents the probability that an asset cannot resist a threat event, not the frequency of threat agent actions. Option B is wrong because Loss Event Frequency (LEF) is the probable frequency of loss events occurring, which is derived from Threat Event Frequency (TEF) and Vulnerability, not the raw frequency of threat agent actions. Option C is wrong because Annualized Rate of Occurrence (ARO) is a quantitative risk assessment metric used in other frameworks (like NIST or ISO) to estimate the number of times a loss is expected per year, not a specific FAIR component for threat agent action frequency.

94
MCQhard

A quantitative risk analysis for a phishing campaign estimates that threat event frequency is 50 per year, vulnerability is 0.1 (10% of users will click), and loss magnitude per successful attack is $10,000. However, the analyst notes a 90% confidence interval of $5,000 to $20,000 for loss magnitude. Which of the following best describes a limitation of this quantitative analysis?

A.The analysis requires extensive data and is time-consuming
B.The analysis is subjective and not comparable across organizations
C.The results are always accurate and reliable
D.The results are easy to communicate to non-technical stakeholders
AnswerA

Quantitative analysis is data-intensive and time-consuming, especially when dealing with uncertainty ranges.

Why this answer

Quantitative analysis often produces uncertainty ranges, making results less precise than they appear, and requiring careful interpretation.

95
MCQmedium

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

A.Threat Event Frequency × Vulnerability
B.Annualized Rate of Occurrence × Single Loss Expectancy
C.Threat Event Frequency × Loss Magnitude
D.Vulnerability × Loss Magnitude
AnswerA

LEF = TEF × Vulnerability.

Why this answer

FAIR defines LEF = Threat Event Frequency (TEF) multiplied by Vulnerability (Vuln).

96
MCQeasy

Which risk treatment option involves eliminating the activity that creates the risk?

A.Accept
B.Transfer
C.Avoid
D.Mitigate
AnswerC

Avoidance eliminates the risk by stopping the activity.

Why this answer

Option C (Avoid) is correct because risk avoidance involves discontinuing the activity or process that gives rise to the risk. In IT risk management, this means removing the vulnerable system, decommissioning a service, or ceasing a business function entirely to eliminate the risk exposure. For example, if an organization decides to shut down a legacy FTP server to avoid the risk of data interception, it is applying the avoid treatment.

Exam trap

The trap here is that candidates often confuse 'avoid' with 'mitigate' because both involve reducing risk, but avoid eliminates the activity entirely while mitigate keeps the activity running with controls in place.

How to eliminate wrong answers

Option A is wrong because risk acceptance means acknowledging the risk and choosing to tolerate it without taking action to reduce or eliminate it, which does not remove the activity. Option B is wrong because risk transfer shifts the financial impact of a risk to a third party (e.g., through cyber insurance or outsourcing) but does not eliminate the underlying activity or threat. Option D is wrong because risk mitigation (or reduction) implements controls to lower the likelihood or impact of a risk, such as applying patches or encrypting data, but the activity that creates the risk continues to operate.

97
MCQeasy

Which control type is designed to stop a risk event from occurring?

A.Detective
B.Compensating
C.Preventive
D.Corrective
AnswerC

Preventive controls are designed to stop risk events.

Why this answer

Preventive controls aim to prevent risk events from happening, e.g., access controls, encryption.

98
MCQhard

A risk assessment reveals that the likelihood of a phishing attack is high, and the impact is moderate. The organization decides to implement security awareness training and email filtering. This is an example of which risk treatment?

A.Risk acceptance
B.Risk avoidance
C.Risk mitigation
D.Risk transfer
AnswerC

Controls are implemented to reduce risk.

Why this answer

Mitigation involves implementing controls to reduce likelihood (training reduces susceptibility) or impact (filtering reduces successful attacks).

99
MCQmedium

A risk is assessed with inherent risk score of 25 on a 5x5 matrix. After implementing controls, the residual risk score is 10. The control effectiveness is considered:

A.Not measurable
B.Highly effective
C.Ineffective
D.Moderately effective
AnswerD

Correct; 60% reduction shows moderate effectiveness.

Why this answer

Control effectiveness can be measured as reduction in risk score. Inherent 25 to residual 10 is a 60% reduction (15/25). This indicates controls are moderately effective, but not extremely.

100
Multi-Selecteasy

A company is considering using a qualitative risk assessment approach to evaluate IT risks. Which TWO of the following are advantages of qualitative risk analysis over quantitative risk analysis?

Select 2 answers
A.Easily comparable across organizations
B.Provides financially meaningful results
C.Quick to perform
D.Easy to communicate to stakeholders
E.Objective and repeatable
AnswersC, D

Qualitative analysis can be performed rapidly using expert judgment.

Why this answer

Qualitative analysis is quicker and easier to communicate because it uses ordinal scales (e.g., high/medium/low) rather than numerical data.

101
MCQmedium

Which of the following is an example of a detective control?

A.Backup restoration after data loss
B.Firewall rules blocking unauthorized traffic
D.Intrusion detection system (IDS) alerts
AnswerD

IDS alerts detect potential incidents after they occur.

Why this answer

An intrusion detection system (IDS) monitors network traffic for suspicious activity and generates alerts when it detects potential threats. This is a detective control because it identifies and reports security incidents after they occur, rather than preventing them. IDS alerts provide visibility into ongoing or past attacks, enabling incident response.

Exam trap

The trap here is confusing preventive controls (like firewalls and authentication) with detective controls (like IDS), as candidates often misclassify controls based on their general security function rather than their specific timing relative to the incident.

How to eliminate wrong answers

Option A is wrong because backup restoration after data loss is a corrective control, not a detective control; it recovers data after an incident has occurred. Option B is wrong because firewall rules blocking unauthorized traffic is a preventive control, as it stops threats before they reach the network. Option C is wrong because requiring two-factor authentication is a preventive control that verifies identity before granting access, not a mechanism to detect incidents after they happen.

102
MCQmedium

A company uses the FAIR model to perform a quantitative risk analysis. The threat event frequency (TEF) is estimated at 10 per year, vulnerability (V) is 0.5, and loss magnitude (LM) per event is $50,000. What is the annualized loss expectancy (ALE)?

A.$25,000
B.$50,000
C.$500,000
D.$250,000
AnswerD

Correct; LEF=5, ALE=5*$50k=$250k.

Why this answer

FAIR: LEF = TEF × V = 10 × 0.5 = 5 events/year. ALE = LEF × LM = 5 × $50,000 = $250,000.

103
MCQmedium

A company decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

A.Mitigate
B.Accept
C.Avoid
D.Transfer
AnswerD

Insurance transfers the financial risk to the insurer.

Why this answer

Transferring risk to a third party through insurance is a classic risk transfer strategy.

104
Multi-Selecthard

During an IT risk assessment, the risk team identifies a high inherent risk for a legacy application. The team is evaluating control options. Which THREE are considered preventive controls?

Select 3 answers
A.Log monitoring
B.Encryption of data at rest
C.Change management process
D.Access controls
E.Backup restoration procedures
AnswersB, C, D

Encryption prevents data exposure if storage is compromised.

Why this answer

Preventive controls aim to stop risk events. Access controls, encryption, and change management are preventive. Logs are detective, backup restoration is corrective.

105
MCQmedium

A risk owner decides to accept a risk because the cost of mitigation exceeds the potential loss, and the risk level is within the organization's risk appetite. What should the risk owner do next?

A.Implement detective controls to monitor the risk
B.Reassess the risk using quantitative analysis
C.Transfer the risk to a third party via insurance
D.Document the risk and obtain formal sign-off
AnswerD

Proper risk acceptance requires documentation and formal approval from the risk owner or management.

Why this answer

The risk owner should formally document the risk acceptance decision and obtain approval from management as per policy.

106
MCQhard

A company identifies a high inherent risk in its online payment system. After implementing a Web Application Firewall (WAF) and conducting quarterly penetration tests, the residual risk is assessed as medium. Which of the following best explains the relationship between inherent risk, controls, and residual risk?

A.Residual risk is the inherent risk adjusted for the effectiveness of controls in reducing likelihood and impact.
B.Inherent risk is the risk after controls are applied, while residual risk is the risk before controls.
C.Residual risk equals inherent risk minus the total cost of controls implemented.
D.Inherent risk and residual risk are independent; residual risk is determined solely by threat intelligence.
AnswerA

Correct. Control effectiveness reduces inherent risk to residual risk.

Why this answer

Residual risk is the risk remaining after controls are applied. It is calculated by adjusting inherent risk for control effectiveness (design adequacy and operating effectiveness).

107
MCQmedium

A company is assessing the risk of a ransomware attack. The security team estimates the threat event frequency as 2 attacks per year, vulnerability as 0.3 (30% chance of success), primary loss as $500,000, and secondary loss as $200,000. What is the annualized loss expectancy (ALE) using the FAIR framework?

A.$420,000
B.$700,000
C.$210,000
D.$1,400,000
AnswerA

ALE = (2 * 0.3) * ($500,000 + $200,000) = 0.6 * $700,000 = $420,000.

Why this answer

The FAIR framework calculates ALE as Threat Event Frequency × Vulnerability × (Primary Loss + Secondary Loss). Here, 2 × 0.3 × ($500,000 + $200,000) = 2 × 0.3 × $700,000 = $420,000. This correctly accounts for the probability of a successful attack and the total loss per incident.

Exam trap

The trap here is that candidates often forget to multiply by the vulnerability factor (0.3) or omit secondary loss, leading to answers like $700,000 or $1,400,000, which ignore the probabilistic nature of successful attacks.

How to eliminate wrong answers

Option B is wrong because it multiplies the total loss ($700,000) by the threat event frequency (2) without considering the vulnerability factor (0.3), yielding $1,400,000, then incorrectly halves it to $700,000. Option C is wrong because it multiplies only the primary loss ($500,000) by vulnerability (0.3) and threat frequency (2), ignoring secondary loss, giving $300,000, then incorrectly divides by 2 to get $210,000. Option D is wrong because it multiplies the total loss ($700,000) by the threat event frequency (2) without applying the vulnerability factor (0.3), resulting in $1,400,000, which overestimates the ALE by ignoring the 30% success probability.

108
MCQeasy

A risk assessment reveals a high inherent risk that is within the organization's risk appetite. The risk owner documents the risk and formally accepts it. This is an example of which risk treatment option?

A.Accept
B.Mitigate
C.Transfer
D.Avoid
AnswerA

Acceptance means acknowledging and bearing the risk.

Why this answer

When a risk is within appetite, it may be formally accepted with sign-off.

109
Multi-Selectmedium

Which TWO of the following are examples of corrective controls?

Select 2 answers
A.Encryption of data at rest
B.Disaster recovery plan execution
D.Backup restoration
E.Access control lists
AnswersB, D

Recovery after disaster is corrective.

Why this answer

Disaster recovery plan execution (B) is a corrective control because it is activated after a disruptive event to restore normal operations. It directly addresses the impact of an incident by executing predefined procedures to recover systems and data, thereby correcting the damage caused by the outage or disaster.

Exam trap

The trap here is that candidates often confuse detective controls (like IDS) with corrective controls, because they both involve monitoring or alerting, but corrective controls are specifically about taking action to fix or recover from an incident, not just detecting it.

110
Multi-Selecthard

During an IT risk assessment, a risk owner has identified a risk with a high inherent risk score. After reviewing control effectiveness, the residual risk remains medium. The organization decides to accept the residual risk. Which TWO of the following actions should the risk owner take?

Select 2 answers
A.Transfer the risk to a third party
B.Eliminate the activity that creates the risk
C.Obtain sign-off from the risk owner
D.Implement additional controls to reduce risk further
E.Document the risk acceptance formally
AnswersC, E

The risk owner must formally approve acceptance.

Why this answer

Option C is correct because the risk owner must formally acknowledge and accept the residual risk after the decision to accept has been made. This sign-off demonstrates that the risk owner is aware of the remaining exposure and agrees to the risk acceptance, which is a key governance step in the risk management process. Without this sign-off, the acceptance is not formally recognized, and accountability remains unclear.

Exam trap

The trap here is that candidates may confuse risk acceptance with other risk treatment options (transfer, avoid, mitigate) and fail to recognize that after deciding to accept, the key actions are formal sign-off and documentation, not further risk reduction or transfer.

111
MCQhard

After implementing controls, the risk remaining is called:

A.Control risk
B.Acceptable risk
C.Residual risk
D.Inherent risk
AnswerC

Residual risk = inherent risk adjusted for control effectiveness.

Why this answer

Residual risk is the risk remaining after controls are applied, calculated by adjusting inherent risk for control effectiveness.

112
MCQmedium

A company is evaluating controls for a high-risk process. Which control type is designed to stop a risk event from occurring?

A.Preventive
B.Detective
C.Corrective
D.Compensating
AnswerA

Preventive controls, such as access controls and encryption, stop risk events.

Why this answer

A preventive control is designed to stop a risk event from occurring by implementing barriers or safeguards before the event can happen. For a high-risk process, this might include access control lists (ACLs) on a firewall that block unauthorized traffic, or input validation routines in an application that reject malformed data before it can trigger a buffer overflow. By proactively eliminating the threat vector, preventive controls reduce the likelihood of the risk event to zero for the protected path.

Exam trap

Cisco often tests the distinction between preventive and detective controls by presenting a scenario where a control identifies a threat (e.g., an IDS alert) and candidates mistakenly classify it as preventive, when in fact it only detects the event after it has begun.

How to eliminate wrong answers

Option B is wrong because detective controls, such as intrusion detection systems (IDS) or log monitoring, only identify that a risk event has occurred or is in progress; they do not prevent it. Option C is wrong because corrective controls, like restoring from a backup after a ransomware attack or applying a patch to fix a vulnerability, are activated after the risk event has already happened to restore normal operations. Option D is wrong because compensating controls, such as using a web application firewall (WAF) as an alternative when a required preventive control (e.g., secure coding) cannot be implemented, provide an alternative measure but are not designed to stop the risk event from occurring in the first place; they are a fallback, not a primary prevention mechanism.

113
MCQhard

A risk analyst is assessing a critical application's inherent risk. After implementing controls, the residual risk is calculated as high. The analyst determines that the control design is adequate but operating effectiveness is poor. Which factor most likely explains the high residual risk?

A.Control design is inadequate
B.Control operating effectiveness is poor
C.Risk appetite was misstated
D.Inherent risk is too low
AnswerB

Correct; poor operation means controls don't reduce risk as expected.

Why this answer

Residual risk = inherent risk adjusted for control effectiveness. If controls are well-designed but not operating effectively, they fail to reduce risk as intended, leading to high residual risk.

114
Multi-Selecteasy

An organization is implementing controls to mitigate the risk of data exfiltration. Which TWO control types would be considered preventive? (Select TWO)

Select 2 answers
A.Incident response plan
B.Backup restoration procedures
C.Log monitoring and analysis
D.Access controls to restrict data access
E.Data encryption at rest and in transit
AnswersD, E

Access controls prevent unauthorized access, thus preventive.

Why this answer

Preventive controls aim to stop a risk event from occurring. Access controls prevent unauthorized access, and encryption prevents data from being read if exfiltrated. Log monitoring is detective, and backup restoration is corrective.

115
Multi-Selectmedium

An organization is using the FAIR framework to perform a quantitative risk analysis for a data breach scenario. Which THREE of the following are components of the Annualized Loss Expectancy (ALE) calculation in FAIR?

Select 3 answers
A.Annualized Rate of Occurrence (ARO)
B.Loss Event Frequency (LEF)
C.Single Loss Expectancy (SLE)
D.Loss Magnitude (LM)
E.Exposure Factor (EF)
AnswersA, C, E

ARO is used in traditional ALE = ARO × SLE.

Why this answer

In the FAIR framework, Annualized Loss Expectancy (ALE) is calculated as ARO × SLE. ARO (Annualized Rate of Occurrence) is a direct component of ALE, representing the expected number of loss events per year. This is a core part of the quantitative risk analysis formula used in FAIR.

Exam trap

The trap here is that candidates confuse the FAIR-specific terms (LEF and LM) with the traditional quantitative risk analysis components (ARO and SLE), leading them to select LEF or LM instead of recognizing that ALE directly uses ARO and SLE.

116
MCQmedium

An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?

A.Critical
B.Medium
C.Low
D.High
AnswerD

Score 12 is within the high range.

Why this answer

Risk score = 3 × 4 = 12, which falls in the high range (12-25).

117
MCQeasy

A risk assessment using a 5x5 heat map with likelihood and impact scores is an example of which type of risk analysis?

A.Semi-quantitative risk analysis
B.Factor Analysis of Information Risk (FAIR)
C.Qualitative risk analysis
D.Quantitative risk analysis
AnswerC

Heat maps are a common qualitative tool.

Why this answer

A 5x5 heat map uses ordinal scales (e.g., 1–5) for likelihood and impact, which are subjective categories rather than precise numerical values. This places it in qualitative risk analysis, where risks are ranked by descriptive labels (e.g., Low, Medium, High) without monetary or statistical quantification.

Exam trap

The trap here is that candidates confuse the use of numbers (1–5) with quantitative analysis, but the 5x5 heat map remains qualitative because the numbers are labels, not measured values with arithmetic meaning.

How to eliminate wrong answers

Option A is wrong because semi-quantitative risk analysis assigns numerical weights or scores to qualitative categories (e.g., 1–5) and performs arithmetic (e.g., multiplying likelihood × impact) to produce a relative ranking, but the 5x5 heat map itself is a qualitative tool that does not require arithmetic—it is a mapping of ordinal inputs to a color-coded grid. Option B is wrong because FAIR (Factor Analysis of Information Risk) is a quantitative framework that decomposes risk into measurable factors (e.g., loss event frequency, loss magnitude) using Monte Carlo simulations and dollar values, not a simple 5x5 heat map. Option D is wrong because quantitative risk analysis uses hard data (e.g., annualized loss expectancy, probability percentages) to compute risk in monetary terms, whereas the 5x5 heat map relies on subjective expert judgment and ordinal scales.

118
MCQmedium

An organization implements an intrusion detection system (IDS) to monitor for security incidents. This is an example of which type of control?

A.Detective
B.Corrective
C.Compensating
D.Preventive
AnswerA

IDS detects incidents after they occur.

Why this answer

An intrusion detection system (IDS) is a detective control because it monitors network traffic or system activity for signs of malicious behavior or policy violations and generates alerts when such patterns are detected. Unlike preventive controls, an IDS does not block or stop the attack in real time; it only identifies and reports the incident for subsequent investigation and response.

Exam trap

The trap here is that candidates often confuse an IDS with an IPS (Intrusion Prevention System), which is a preventive control because it can actively block traffic, whereas the question specifically asks about an IDS, which is purely detective.

How to eliminate wrong answers

Option B (Corrective) is wrong because corrective controls are actions taken to remediate or reverse the effects of an incident after it has been detected, such as patching a vulnerability or restoring from backup, whereas an IDS only alerts and does not perform remediation. Option C (Compensating) is wrong because compensating controls are alternative measures implemented when a primary control cannot be applied, such as using additional logging when encryption is not feasible, but an IDS is a standard control, not a substitute for another control. Option D (Preventive) is wrong because preventive controls are designed to stop an incident before it occurs, like a firewall blocking unauthorized traffic, while an IDS passively monitors and does not block or prevent attacks.

119
MCQeasy

Which risk treatment option involves formally acknowledging the risk and taking no further action, provided the risk is within the organization's risk appetite?

A.Avoid
B.Transfer
C.Mitigate
D.Accept
AnswerD

Acceptance means the risk is within appetite and formally accepted.

Why this answer

Acceptance is a formal decision to tolerate a risk within appetite, with documented sign-off.

120
MCQhard

An organization using the FAIR framework estimates that a threat event frequency (TEF) is 10 per year, vulnerability is 0.2, and loss magnitude per event is $500,000. What is the annualized loss expectancy (ALE)?

A.$500,000
B.$1,000,000
C.$100,000
D.$2,500,000
AnswerB

ALE = TEF × Vulnerability × Loss Magnitude = 10 × 0.2 × $500,000 = $1,000,000.

Why this answer

The FAIR framework calculates ALE as TEF × Vulnerability × Loss Magnitude. Here, 10 × 0.2 × $500,000 = $1,000,000. This correctly incorporates the vulnerability factor (0.2) as a probability of threat success, yielding the expected annual loss.

Exam trap

The trap here is that candidates often forget to multiply by the vulnerability factor, assuming TEF already accounts for success, and thus incorrectly select $500,000 (option A) or $5,000,000 (not listed), rather than applying the full FAIR formula.

How to eliminate wrong answers

Option A is wrong because it omits the vulnerability factor (0.2), treating TEF as 10 and loss magnitude as $500,000 directly, which would only be correct if vulnerability were 1.0. Option C is wrong because it incorrectly multiplies TEF (10) by vulnerability (0.2) to get 2, then multiplies by $500,000 incorrectly as $100,000, likely confusing the loss magnitude with a per-event value. Option D is wrong because it multiplies TEF (10) by loss magnitude ($500,000) to get $5,000,000 and then divides by vulnerability (0.2) or misapplies the formula, resulting in an inflated value of $2,500,000.

121
MCQmedium

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

A.Threat Event Frequency + Vulnerability
B.Annualized Rate of Occurrence × Single Loss Expectancy
C.Loss Magnitude × Vulnerability
D.Threat Event Frequency × Vulnerability
AnswerD

This is the correct formula.

Why this answer

FAIR defines LEF = Threat Event Frequency × Vulnerability (probability that a threat event results in a loss event).

122
MCQeasy

Which of the following best describes an advantage of qualitative risk analysis over quantitative risk analysis?

A.It is objective and comparable across organizations
B.It is quick and easy to communicate
C.It requires less data than quantitative analysis
D.It provides financially meaningful results
AnswerB

Qualitative analysis is faster and easier to communicate to non-technical stakeholders.

Why this answer

Qualitative analysis is quick and easy to communicate, while quantitative is more objective but data-intensive.

123
MCQmedium

In the FAIR framework, what does Loss Event Frequency (LEF) represent?

A.The number of threat events per year
B.The expected number of loss events per year
C.The probability that a threat event will result in a loss
D.The total financial loss per event
AnswerB

LEF = TEF × V, giving the frequency of losses.

Why this answer

LEF is the product of Threat Event Frequency (TEF) and Vulnerability (V), representing how often a loss event is expected to occur.

124
MCQmedium

During a risk assessment, a risk is assigned a likelihood of 'High' and an impact of 'Medium' on a 5×5 heat map. What is the risk rating?

A.Critical
B.Low
C.Medium
D.High
AnswerD

A combination of High likelihood and Medium impact yields a High risk rating in most 5×5 matrices.

Why this answer

On a 5×5 matrix, High likelihood × Medium impact typically results in a High risk rating (e.g., 4×3 = 12, which is often in the high range).

125
MCQeasy

Which of the following is an example of a preventive control?

A.Encryption of sensitive data
B.Incident response plan
D.Security logs
AnswerA

Encryption prevents unauthorized disclosure.

Why this answer

Encryption prevents unauthorized access, making it preventive.

126
Multi-Selectmedium

A company is performing a qualitative risk analysis for a new cloud migration project. Which TWO of the following are recognized limitations of qualitative risk analysis?

Select 2 answers
A.Risk ratings are not easily comparable across different organizations
B.It requires extensive historical data
C.It is time-consuming and complex to perform
D.Results are subjective and depend on the assessor's judgment
E.It provides financially precise loss estimates
AnswersA, D

Different organizations may use different scales or interpretations.

Why this answer

Qualitative analysis is subjective and not comparable across organizations due to lack of standardized scales.

127
MCQmedium

A risk manager is prioritizing risks based on their inherent risk scores. Which of the following factors should be considered when prioritizing treatment actions?

A.The cost-benefit analysis of controls
B.The residual risk after controls
C.Only the inherent risk score
D.The likelihood of control failure
AnswerA

Cost-benefit analysis helps determine which controls provide the best risk reduction for the cost.

Why this answer

Prioritization should consider the risk level and the cost-benefit of controls to ensure efficient use of resources.

128
Multi-Selectmedium

A company is assessing the impact of a potential ransomware attack. Which TWO impact categories are considered operational impacts?

Select 2 answers
A.Share price impact
B.System downtime
C.Regulatory fines
D.Productivity loss
E.Customer trust loss
AnswersB, D

System downtime directly affects operations.

Why this answer

Operational impacts include system downtime and productivity loss. Financial impacts like fines and reputation are separate categories.

129
MCQeasy

Which of the following is a key advantage of using a quantitative risk analysis approach such as FAIR?

A.Quick to perform with minimal data
B.Produces objective, comparable financial metrics
C.Provides subjective rankings easy to communicate
D.Eliminates uncertainty in risk estimates
AnswerB

Quantitative analysis yields monetary values and statistical probabilities.

Why this answer

Quantitative analysis provides objective, financially meaningful results that can be compared across organizations.

130
MCQmedium

An organization calculates the annualized loss expectancy (ALE) for a cyber attack scenario. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 2. What is the ALE?

A.$25,000
B.$50,000
C.$200,000
D.$100,000
AnswerD

ALE = ARO × SLE = 2 × $50,000 = $100,000.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Given an SLE of $50,000 and an ARO of 2, the ALE is $50,000 × 2 = $100,000. This is the expected financial loss from the cyber attack scenario over one year.

Exam trap

The trap here is that candidates often confuse the relationship between SLE and ARO, mistakenly dividing instead of multiplying, or misapplying the ARO as a squared term, leading to incorrect ALE values like $25,000 or $200,000.

How to eliminate wrong answers

Option A is wrong because $25,000 would result from dividing the SLE by the ARO (50,000 / 2), which incorrectly treats the relationship as a division rather than multiplication. Option B is wrong because $50,000 equals the SLE alone, ignoring the ARO of 2, which would only be correct if the ARO were 1. Option C is wrong because $200,000 would result from multiplying the SLE by the ARO squared (50,000 × 4), a common miscalculation that confuses the ARO with a frequency multiplier.

131
Multi-Selecthard

An organization is evaluating the impact of a potential data breach. Which THREE of the following are considered indirect financial impacts?

Select 3 answers
A.Incident response costs
B.Legal fees from lawsuits
C.Notification costs to affected individuals
D.Lost customer business
E.Reputation damage leading to lower stock price
AnswersB, D, E

Legal fees can be indirect or direct; in this context, they are often indirect costs of defending lawsuits.

Why this answer

Indirect financial impacts include lost business, reputation damage, and opportunity costs.

132
MCQmedium

A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?

A.ALE = $400,000; maximum possible loss
B.ALE = $100,000; single loss expectancy
C.ALE = $100,000; expected annual loss
D.ALE = $200,000; annual cost of controls
AnswerC

Correct calculation and interpretation.

Why this answer

ALE = ARO × SLE = 0.5 × $200,000 = $100,000. This means the expected annual loss from this risk is $100,000.

133
MCQmedium

During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?

A.Controls are effective in reducing the risk level
B.Additional controls are unnecessary
C.Controls are not effective because residual risk remains
D.The inherent risk was overestimated
AnswerA

Significant reduction from 25 to 9 indicates effective controls.

Why this answer

A reduction from 25 to 9 indicates controls are effective in reducing risk. High inherent risk does not automatically mean high residual risk; controls can reduce it significantly.

134
Multi-Selectmedium

A risk practitioner is conducting a business impact assessment for a critical application. Which TWO of the following are examples of direct financial costs? (Select TWO)

Select 2 answers
A.Incident response costs
B.Reputation damage
C.Regulatory fines
D.Lost business due to downtime
E.Recovery costs
AnswersA, E

Direct cost of responding to a breach.

Why this answer

Incident response and recovery costs are direct financial costs. Lost business and reputational damage are indirect costs.

135
Multi-Selectmedium

Which THREE of the following are components of Loss Magnitude in the FAIR framework?

Select 3 answers
A.Reputational damage
B.Vulnerability severity
C.Incident response costs
D.Recovery costs
E.Threat event frequency
AnswersA, C, D

Part of secondary loss.

Why this answer

FAIR splits Loss Magnitude into primary loss (direct costs) and secondary loss (indirect costs). Primary loss includes incident response and recovery; secondary loss includes reputation and lost business.

136
MCQhard

In a qualitative risk assessment using a 5x5 heat map, an IT risk is rated with likelihood 4 and impact 5. According to typical heat map conventions (5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational), what is the overall risk rating?

A.Low
B.Medium
C.High
D.Critical
AnswerD

Correct. 4x5=20 is in the critical range (15-25).

Why this answer

In a typical 5x5 risk heat map, the overall risk rating is determined by the intersection of likelihood and impact values. With likelihood 4 and impact 5, the cell falls in the 'Critical' zone (commonly defined as likelihood 4-5 and impact 4-5). This aligns with the convention where 5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational, making D the correct answer.

Exam trap

The trap here is that candidates may incorrectly multiply likelihood and impact (4 x 5 = 20) and then try to map that product to a rating, rather than using the heat map's intersection logic, leading them to choose 'High' instead of 'Critical'.

How to eliminate wrong answers

Option A is wrong because a likelihood of 4 and impact of 5 produce a risk score well above the threshold for 'Low' (which typically covers likelihood 1-2 and impact 1-2). Option B is wrong because 'Medium' risk usually corresponds to likelihood 2-3 and impact 2-3, not the high values given. Option C is wrong because while 'High' (rating 4) is close, the combination of likelihood 4 and impact 5 maps to the highest severity zone (Critical), not High, in standard heat map conventions.

137
MCQhard

A company has an inherent risk score of 20 for a specific threat. After implementing controls, the control effectiveness is assessed as 60% (design adequacy 70%, operating effectiveness 85%). What is the approximate residual risk score?

A.14
B.6
C.8
D.12
AnswerC

20 × (1 - 0.6) = 8.

Why this answer

Residual risk = Inherent risk × (1 - Control effectiveness). Control effectiveness = 0.6. Residual risk = 20 × 0.4 = 8.

138
MCQeasy

Which of the following is a limitation of quantitative risk analysis?

A.Results are not comparable across organizations.
B.It is data-intensive and time-consuming.
C.It is subjective and difficult to communicate.
D.It does not provide financially meaningful values.
AnswerB

Quantitative methods require reliable data and significant effort.

Why this answer

Quantitative analysis requires detailed data and is time-consuming, which can be a significant limitation.

139
MCQeasy

When prioritizing risk treatment actions, which factor is most important to consider alongside the risk level?

A.Cost-benefit analysis of controls
B.Number of stakeholders involved
C.Regulatory requirements only
D.Time required to implement controls
AnswerA

Prioritization should consider the cost-effectiveness of controls.

Why this answer

Risk treatment prioritization must balance the cost of controls against the expected reduction in risk. A cost-benefit analysis ensures that the selected controls provide a net positive value, preventing over-investment in low-impact risks or under-investment in high-impact ones. This aligns with the ISACA Risk IT Framework, which emphasizes that risk treatment decisions should be economically justified.

Exam trap

The trap here is that candidates often prioritize regulatory compliance or implementation speed over economic justification, but CRISC emphasizes that risk treatment must be cost-effective to ensure sustainable risk management.

How to eliminate wrong answers

Option B is wrong because the number of stakeholders involved does not directly determine the effectiveness or efficiency of risk treatment; while stakeholder input is important, it is secondary to the economic justification of controls. Option C is wrong because regulatory requirements are only one subset of risk treatment drivers; focusing solely on them ignores other critical factors like operational impact and cost, leading to suboptimal risk management. Option D is wrong because time to implement is a scheduling constraint, not a primary decision factor; a quick fix that is not cost-effective may waste resources and fail to address the root risk.

140
Multi-Selectmedium

An organization is evaluating the business impact of a potential ransomware attack. Which TWO impact categories should be considered as direct financial losses? (Select TWO)

Select 2 answers
A.Incident response and recovery costs
B.Reputation damage and customer trust loss
C.Lost business due to downtime
D.Notification costs to affected parties
E.Regulatory fines
AnswersA, D

These are direct costs of responding to and recovering from the attack.

Why this answer

Direct financial losses include costs directly incurred from the incident, such as incident response and recovery, and notification costs. Lost business and reputation damage are indirect costs.

← PreviousPage 2 of 2 · 140 questions total

Ready to test yourself?

Try a timed practice session using only Crisc Risk Assessment questions.