CompTIA
CAS-002 · Question #755
CAS-002 Question #755: Real Exam Question with Answer & Explanation
The correct answer is B: Potential Loss x Event Probability x Control Failure Probability. The best risk calculation formula accounts for the magnitude of potential loss, the probability of a threat event occurring, and the probability that existing controls will fail to prevent it.
Question
Which of the following provides the BEST risk calculation methodology?
Options
- AAnnual Loss Expectancy (ALE) x Value of Asset
- BPotential Loss x Event Probability x Control Failure Probability
- CImpact x Threat x Vulnerability
- DRisk Likelihood x Annual Loss Expectancy (ALE)
Explanation
The best risk calculation formula accounts for the magnitude of potential loss, the probability of a threat event occurring, and the probability that existing controls will fail to prevent it.
Common mistakes.
- A. ALE already embeds asset value through Single Loss Expectancy (SLE = Asset Value x Exposure Factor), so multiplying ALE by asset value again double-counts that component.
- C. Impact x Threat x Vulnerability is a simplified qualitative risk model used for rough prioritization, not a rigorous quantitative risk calculation methodology.
- D. ALE is calculated as SLE x ARO (Annual Rate of Occurrence), meaning likelihood is already baked into ALE, making this multiplication circular and mathematically redundant.
Concept tested. Quantitative risk calculation formula components
Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Community Discussion
No community discussion yet for this question.