nerdexam
ExamsCAS-002Questions#898
CompTIA

CAS-002 · Question #898

CAS-002 Question #898: Real Exam Question with Answer & Explanation

The correct answer is C: Quantitative Risk Analysis. Quantitative risk analysis assigns specific monetary values to risk scenarios, making it the correct tool for demonstrating the financial impact of the identified network vulnerability to the retailer.

Question

A well-known retailer has experienced a massive credit card breach. The retailer had gone through an audit and had been presented with a potential problem on their network. Vendors were authenticating directly to the retailer's AD servers, and an improper firewall rule allowed pivoting from the AD server to the DMZ where credit card servers were kept. The firewall rule was needed for an internal application that was developed, which presents risk. The retailer determined that because the vendors were required to have site to site VPN's no other security action was taken. To prove to the retailer the monetary value of this risk, which of the following type of calculations is needed?

Options

  • AResidual Risk calculation
  • BA cost/benefit analysis
  • CQuantitative Risk Analysis
  • DQualitative Risk Analysis

Explanation

Quantitative risk analysis assigns specific monetary values to risk scenarios, making it the correct tool for demonstrating the financial impact of the identified network vulnerability to the retailer.

Common mistakes.

  • A. Residual risk calculation measures the risk that remains after existing controls are applied, not the monetary value of the specific unmitigated vulnerability that was identified.
  • B. A cost/benefit analysis compares the expense of implementing a control against its projected benefit but does not independently quantify the monetary value of the threat itself.
  • D. Qualitative risk analysis assigns descriptive ratings such as high, medium, or low to risks rather than the specific monetary values needed to prove financial impact.

Concept tested. Quantitative risk analysis - ALE-based monetary valuation

Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice