ISC2-ISSEP Domain 2: Risk Management Welcome to your ISC2-ISSEP Domain 2: Risk Management 1. ISSEP: Risk Management When performing a quantitative risk analysis, which of the following metrics is essential for calculating the Annual Loss Expectancy (ALE)? A. Threat frequency B. Single Loss Expectancy (SLE) C. Risk avoidance cost D. Control efficiency rate None 2. ISSEP: Risk Management In risk management, what is the primary purpose of applying the 'risk transference' strategy? A. To eliminate the risk by implementing controls B. To mitigate the risk by reducing the likelihood of its occurrence C. To accept the risk and allocate budget for potential losses D. To shift the potential impact of the risk to a third party None 3. ISSEP: Risk Management Which of the following best describes 'residual risk'? A. The risk remaining after all controls have been applied B. The total risk before any controls are implemented C. The risk associated with newly identified threats D. The risk transferred to a third party None 4. ISSEP: Risk Management In the context of risk management, what does the term 'risk appetite' refer to? A. The maximum level of risk that an organization is willing to accept to achieve its objectives B. The specific amount of risk that an organization can transfer to insurance C. The total value of risk after implementing preventative controls D. The minimum level of risk necessary for a control to be considered cost-effective None 5. ISSEP: Risk Management What is the main objective of performing a 'risk assessment' in the context of information security? A. To identify vulnerabilities and threats to information assets B. To implement all possible security controls C. To transfer all identified risks to insurers D. To ensure compliance with all legal requirements None 6. ISSEP: Risk Management Which of the following is a primary goal of the 'risk mitigation' strategy? A. To avoid any financial loss associated with the risk B. To completely eliminate the identified risk C. To reduce the impact or likelihood of the risk to an acceptable level D. To transfer the responsibility of the risk to another entity None 7. ISSEP: Risk Management In which phase of the risk management process is 'risk identification' primarily conducted? A. After implementing security controls B. Before the risk analysis phase C. During the risk monitoring phase D. At the beginning of the risk assessment process None 8. ISSEP: Risk Management What does 'risk prioritization' involve in the context of risk management? A. Assigning a fixed budget to each identified risk B. Transferring all high-level risks to insurance providers C. Ranking identified risks based on their severity and impact on the organization D. Eliminating risks in the order they are identified None 9. ISSEP: Risk Management In the context of Risk Management, 'Control Gap Analysis' is best described as: A. The process of identifying missing controls that could mitigate identified risks B. A financial audit to determine the cost-effectiveness of implemented controls C. The transfer of identified risks to third-party vendors D. The documentation of all controls without assessing their effectiveness None 10. ISSEP: Risk Management What is the significance of 'threat modeling' in risk management? A. It provides a framework for transferring risks to insurers. B. It is a method for determining the financial impact of each threat. C. It is a technique for visualizing and understanding potential threats and vulnerabilities. D. It outlines the procedures for legal compliance in the event of a data breach. None 11. ISSEP: Risk Management In the risk management process, 'quantitative analysis' is used to: A. Subjectively estimate the impact of risks based on expert judgment. B. Qualitatively describe the potential outcomes of risk events. C. Numerically estimate the probability and impact of risks. D. Transfer the exact amount of risk to a third party based on qualitative assessments. None 12. ISSEP: Risk Management In risk management, the 'Monte Carlo Simulation' is primarily used for: A. Determining the exact amount of insurance coverage needed for each risk. B. Conducting a detailed legal review of compliance requirements. C. Projecting the potential outcomes of risk scenarios based on probabilistic models. D. Identifying new risks during the implementation phase of a project. None 13. ISSEP: Risk Management What role does 'risk tolerance' play in the development of a risk management strategy? A. It specifies the insurance premiums payable for transferred risks. B. It dictates the exact controls to be implemented for each identified risk. C. It defines the organization's capacity to withstand risk without affecting its objectives. D. It mandates the legal framework within which risk management must operate. None 14. ISSEP: Risk Management The 'Value at Risk (VaR)' model in risk management is best used to: A. Calculate the maximum potential loss over a specified time period at a given confidence level. B. Identify the qualitative impact of risks on organizational reputation. C. Determine the percentage of risk transferred through contractual agreements. D. Assess the effectiveness of implemented controls on an annual basis. None 15. ISSEP: Risk Management In the context of cybersecurity risk management, 'attack surface reduction' aims to: A. Increase the number of potential attack vectors to spread the threat actor's efforts thin. B. Quantify the financial impact of potential cyber-attacks for insurance purposes. C. Minimize the number of vulnerabilities and entry points accessible to attackers. D. Transfer the responsibility for managing cyber risks to a third-party provider. None 16. ISSEP: Risk Management The primary objective of 'Supply Chain Risk Management' (SCRM) is to: A. Ensure the lowest cost of goods through strategic supplier negotiations. B. Identify, assess, and mitigate risks associated with the supply chain to maintain business continuity. C. Transfer all supply chain risks to suppliers through contractual agreements. D. Comply with international trade regulations and avoid legal penalties. None 17. ISSEP: Risk Management In risk management, 'Key Risk Indicators (KRIs)' are used to: A. Provide a quantitative measure that signals an increase in risk exposure. B. Document all identified risks for audit purposes without further analysis. C. Specify the technical details of cybersecurity threats to IT systems. D. Measure the satisfaction level of stakeholders with the risk management process. None 18. ISSEP: Risk Management What is the significance of 'business impact analysis' (BI A. in the risk management process? A) It identifies the insurance needs of the organization based on potential business interruptions. B. It determines the legal responsibilities of the organization in the event of a data breach. C. It assesses the effects of specific risks on the organization's critical business functions. D. It calculates the annual budget required for the risk management department. None 19. ISSEP: Risk Management The process of 'risk aggregation' in an organizational context involves: A. Combining the effect of various risks to understand the overall level of risk exposure. B. Separating individual risks for detailed analysis and mitigation. C. Transferring multiple risks to a single insurance policy. D. Documenting all risks in a centralized database without analysis. None 20. ISSEP: Risk Management In the context of information security, 'Common Vulnerabilities and Exposures (CVE)' is primarily used to: A. Provide a publicly available catalog for known cybersecurity vulnerabilities and exposures. B. Estimate the financial impact of each vulnerability on the organization. C. Legally transfer the risk associated with specific vulnerabilities to cybersecurity insurance. D. Quantify the operational efficiency of the IT department. None 1 out of 20 Time is Up! Time's up
