312-50V13 · Question #2
312-50V13 Question #2: Real Exam Question with Answer & Explanation
The correct answer is A: Residual risk. Residual risk is the risk that remains after security controls, countermeasures, and mitigation strategies have been applied to identified vulnerabilities - it represents what's left over that the organization must accept, transfer, or continue to address. Why the distractors are
Question
What term describes the amount of risk that remains after the vulnerabilities are classified and the countermeasures have been deployed?
Options
- AResidual risk
- BImpact risk
- CDeferred risk
- DInherent risk
Explanation
Residual risk is the risk that remains after security controls, countermeasures, and mitigation strategies have been applied to identified vulnerabilities - it represents what's left over that the organization must accept, transfer, or continue to address.
Why the distractors are wrong:
- B. Impact risk is not a standard risk management term; "impact" refers to the severity or consequence of a threat, not a category of remaining risk.
- C. Deferred risk is not a recognized term in standard risk frameworks; it implies postponing action but doesn't describe the post-control risk state.
- D. Inherent risk is actually the opposite concept - it's the level of risk that exists before any controls or countermeasures are applied.
Memory tip: Think of "residual" like the residue left in a container after you've poured most of it out. You've applied your countermeasures (poured out the risk), but some always sticks to the sides - that leftover "residue" is your residual risk. A useful formula to remember: Inherent Risk − Controls = Residual Risk.
Topics
Community Discussion
No community discussion yet for this question.