Quiz: Risk Management

A 27-question self-check covering the chapter's process, formulas, treatment options, and communication. Questions tagged [Sec+] map to CompTIA Security+ domains and [CISSP] to (ISC)² CISSP domains — the SLE/ARO/ALE calculations and the four treatment options appear on both exams, often as scenario or calculation items. Answers and one-line explanations are at the end; try the whole quiz first.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The dollar amount of loss expected from a single occurrence of a risk event is the: A. ALE B. SLE C. ARO D. EF

2. [Sec+] The formula for annualized loss expectancy is: A. $ALE = AV \times EF$ B. $ALE = SLE \times ARO$ C. $ALE = AV \times ARO$ D. $ALE = SLE \div ARO$

3. An event is expected to occur once every four years. Its annualized rate of occurrence (ARO) is: A. 4.0 B. 1.0 C. 0.25 D. 0.4

4. [CISSP] Purchasing cyber-insurance to cover the financial impact of a breach is an example of risk: A. mitigation B. avoidance C. transfer D. acceptance

5. [CISSP] Discontinuing a risky product line so the risk no longer exists is risk: A. acceptance B. avoidance C. transfer D. mitigation

6. The risk that remains after controls are applied is called: A. inherent risk B. residual risk C. total risk D. transferred risk

7. [Sec+] A 5×5 grid of likelihood against impact, colored by severity, is a: A. risk register B. risk matrix / heat map C. risk-appetite statement D. control framework

8. Which is the primary difference between qualitative and quantitative risk analysis? A. qualitative is always more accurate B. quantitative uses measured units (dollars, probabilities) while qualitative uses ordinal labels C. qualitative is only for compliance D. they are the same thing

9. [CISSP] Which standard is the U.S. federal Guide for Conducting Risk Assessments? A. ISO/IEC 27001 B. NIST SP 800-30 C. PCI-DSS D. NIST SP 800-207

10. The exposure factor (EF) represents: A. how often an event occurs per year B. the total asset value C. the percentage of an asset's value lost in a single event D. the cost of the safeguard

11. [Sec+] A control is financially worth deploying when: A. it eliminates all risk B. $ALE_{\text{before}} - ALE_{\text{after}} - ACS > 0$ C. it is required by a vendor D. its purchase price is below the SLE

12. Who should be named as the risk owner for an enterprise risk to the online-banking platform? A. the SOC analyst B. the security engineer C. the business leader with budget/authority (e.g., Head of Digital Banking) D. the external auditor

13. [CISSP] Risk appetite is best described as: A. the specific dollar threshold for a single risk B. the broad, strategic amount and type of risk an organization is willing to accept C. the list of accepted risks D. the same as residual risk

14. A risk-management program differs from a single risk assessment chiefly in that it is: A. cheaper B. continuous and organization-wide C. only for regulated firms D. purely quantitative

15. [Sec+] Which is the only treatment that can reduce a risk's residual level to genuinely zero? A. mitigate B. transfer C. avoid D. accept

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

16. "A risk acceptance is illegitimate; a real security program treats every identified risk."

17. [Sec+] "Buying cyber-insurance means the organization is no longer accountable to regulators for a breach."

18. "Because qualitative scores are numbers, you can average the whole register to report a single 'organizational risk score.'"

19. "SLE is a per-event figure and ALE is a per-year figure, so a one-time safeguard purchase must be annualized before comparing it to ALE."

20. "A board should be shown only the risks the security team has already fixed, to avoid alarming the directors."

21. [CISSP] "Inherent risk is the exposure that exists before any controls are applied."

Section 3 — Fill in the blank (1 pt each)

22. The four risk-treatment options are mitigate, transfer, avoid, and __.

23. $SLE = AV \times$ __ .

24. [Sec+] Risk _ is the broad strategic willingness to take risk; risk _ is the concrete operational threshold around it.

25. The living, authoritative record of identified risks, their analysis, treatment, and ownership is the risk __.

Section 4 — Short answer (2 pts each)

26. [CISSP] A risk has AV \$400,000, EF 0.5, and ARO 2.0. (a) Compute SLE and ALE. (b) A control costs \$150,000/year and would cut the ARO to 0.5 (EF unchanged). Compute the new ALE and the net annual value of the control, and state whether to deploy it.

27. [Sec+] Explain in two or three sentences why a CISO presents risk to the board in business terms (money, customers, regulatory exposure) rather than technical terms (CVEs, CVSS, ATT&CK), and why accepted risks must appear in that presentation.

Answer Key

Click to reveal answers and explanations 1. **B** — SLE is loss per single event. 2. **B** — $ALE = SLE \times ARO$. 3. **C** — once per 4 years = 0.25/year. 4. **C** — insurance shifts financial impact to a third party = transfer. 5. **B** — stopping the activity = avoidance (the only path to zero). 6. **B** — residual risk remains after controls. 7. **B** — a risk matrix / heat map. 8. **B** — quantitative uses measured units; qualitative uses ordinal labels. 9. **B** — NIST SP 800-30. 10. **C** — EF is the fraction of asset value lost per event. 11. **B** — net value $= ALE_{\text{before}} - ALE_{\text{after}} - ACS$ must be positive. 12. **C** — the business owner with authority and budget. 13. **B** — appetite is the broad strategic willingness. 14. **B** — continuous and organization-wide. 15. **C** — avoidance removes the activity/asset entirely. 16. **F** — acceptance is a legitimate, often correct treatment when the cost of further treatment exceeds the benefit or the residual is within appetite; it must be documented, owned, and time-bounded. 17. **F** — insurance transfers financial impact, not accountability; the organization remains responsible to regulators and customers. 18. **F** — ordinal scores are labels, not quantities; averaging them is a category error. 19. **T** — every figure in the comparison must be on the same (annual) basis. 20. **F** — the board's duty of care requires it to knowingly accept retained risks, so accepted risks must be shown. 21. **T** — inherent risk is the pre-control exposure. 22. accept. 23. EF (exposure factor). 24. appetite; tolerance. 25. register. 26. (a) $SLE = \$400{,}000 \times 0.5 = \$200{,}000$; $ALE = \$200{,}000 \times 2.0 = \$400{,}000$/yr. (b) $ALE_{\text{after}} = \$200{,}000 \times 0.5 = \$100{,}000$; net value $= \$400{,}000 - \$100{,}000 - \$150{,}000 = +\$150{,}000$/yr → deploy it (reduces expected loss by \$300K, costs \$150K). 27. Boards reason in money, customers, regulation, and strategy, so business-framed risk is what they can actually decide and fund; a technical statement (1,400 CVEs) is not a decision. Accepted risks must appear because the board's legal duty of care requires it to knowingly ratify the risks the organization is carrying — hiding them prevents the board from doing its job and exposes the directors personally. **Topics to review by question:** missed 1–3, 10, 23, 26 → §27.3 (SLE/ARO/ALE); 4–5, 15, 16, 22 → §27.4 (treatment); 6, 21 → §27.4 (inherent/residual); 7–8, 18 → §27.2 (qual/quant + matrix); 9, 14 → §27.1 (process/standards); 11, 19 → §27.3 (cost-benefit/annualization); 12, 25 → §27.5 (register/ownership); 13, 24 → §27.5 (appetite/tolerance); 17 → §27.4 (transfer ≠ accountability); 20, 27 → §27.6 (communicating up / duty of care).