CERTIFIED-IN-CYBERSECURITY Question #397: Real Exam Question with Answer & Explanation

Question

What is the definition of a Risk?

Options

• AAn exploitable weakness or flaw in a system or component
• BAn individual or a group posing a threat
• CA possible event that can negatively impact the organization
• DA means by which a Threat Actor gains access to systems

Explanation

A risk in cybersecurity refers to an event that, if it were to occur, could have negative consequences for an organization or system (see ISC2 Study Guide, Chapter 1, Module 2). For example, the potential risk to a banking system could be a cyber attack that breaches secure customer information, potentially resulting in financial loss and damage to the bank's reputation. Regarding the other options, an individual or group that poses a threat defines a threat actor--but a threat actor only poses a risk if it has intent coupled with the ability to exploit a vulnerability. The method or tactic that a threat actor might use to gain unauthorized access to systems, also known as an exploit. This exploit only becomes a risk when it is used against a vulnerable system that, if compromised, will have a negative impact on the organization. Finally, a flaw or weakness in a system that can be exploited by a threat actor defines a vulnerability. Vulnerable systems are only part of the risk because vulnerabilities don't automatically mean risk without a threat actor willing and able to exploit them. Therefore, while vulnerabilities can lead to risk, they are not risk itself

No community discussion yet for this question.