CAS-003 · Question #907
CAS-003 Question #907: Real Exam Question with Answer & Explanation
The correct answer is D: Measurements of ALE vs SLE and downtime. The key distinction lies in what each exercise measures. A Risk Assessment quantifies risk in financial terms using metrics like SLE (Single Loss Expectancy - the expected loss from one incident) and ALE (Annual Loss Expectancy - SLE multiplied by the annual rate of occurrence).
Question
Options
- ABroad spectrum threat analysis
- BAdherence to quantitative vs qualitative methods
- CA focus on current state without regard to cost
- DMeasurements of ALE vs SLE and downtime
Explanation
The key distinction lies in what each exercise measures. A Risk Assessment quantifies risk in financial terms using metrics like SLE (Single Loss Expectancy - the expected loss from one incident) and ALE (Annual Loss Expectancy - SLE multiplied by the annual rate of occurrence). These metrics inform investment decisions about controls. A Business Impact Analysis (BIA), by contrast, focuses on operational continuity - specifically measuring the maximum tolerable downtime for business processes and establishing RTO (Recovery Time Objective) and RPO (Recovery Point Objective). In short: risk assessments measure potential financial loss (ALE/SLE), while BIAs measure acceptable operational disruption (downtime). Options A, B, and C describe attributes that can apply to both processes or neither, and are not the defining cybersecurity-oriented distinction between the two.
Community Discussion
No community discussion yet for this question.