CISM Question #276: Real Exam Question with Answer & Explanation

Question

Which of the following information BEST supports risk management decision making?

Options

• AEstimated savings resulting from reduced risk exposure
• BResults of a vulnerability assessment
• CIndustry benchmarks of adverse risk costs
• DQuantification of threats through threat modeling

Explanation

Results of a vulnerability assessment (B) best supports risk management decision making because it provides organization-specific, actionable intelligence about actual weaknesses that exist in your environment right now - giving decision makers concrete data to prioritize remediation and allocate resources.

Why the distractors fall short:

• A (estimated savings) is an output of risk decisions, not an input - it's a business case metric used to justify spending after you've already identified the risk, not something that drives the initial decision.
• C (industry benchmarks) reflects general averages across other organizations, not your specific risk posture - useful context, but too broad to guide precise decisions.
• D (threat quantification via threat modeling) focuses on external threat actors and attack vectors, but without pairing it with your organization's actual vulnerabilities, it lacks the specificity needed for prioritized risk decisions.

Memory tip: Think "VA = actionable." A vulnerability assessment tells you what's actually broken in your house - you can't manage risk you haven't measured directly. The other options are either downstream outputs (A), external averages (C), or incomplete without the vulnerability side of the equation (D).

No community discussion yet for this question.