nerdexam
(ISC)2

CISSP · Question #1114

Which of the following is a risk matrix?

The correct answer is C. A two-dimensional picture of risk for organizations, products, projects, or other items of interest.. A risk matrix is a visual tool that plots likelihood against consequence in a two-dimensional grid to help organizations prioritize and communicate risks.

Submitted by fatima_kr· Mar 5, 2026Security and Risk Management

Question

Which of the following is a risk matrix?

Options

  • AA database of risks associated with a specific information system.
  • BA table of risk management factors for management to consider.
  • CA two-dimensional picture of risk for organizations, products, projects, or other items of interest.
  • DA tool for determining risk management decisions for an activity or system.

How the community answered

(40 responses)
  • A
    3% (1)
  • C
    93% (37)
  • D
    5% (2)

Why each option

A risk matrix is a visual tool that plots likelihood against consequence in a two-dimensional grid to help organizations prioritize and communicate risks.

AA database of risks associated with a specific information system.

A database of risks associated with a specific information system describes a risk register or risk inventory, not a risk matrix, which is a visual plotting tool rather than a data repository.

BA table of risk management factors for management to consider.

A table of risk management factors for management to consider describes a risk register or risk reporting artifact, not a risk matrix, which specifically maps likelihood against impact in a two-dimensional grid.

CA two-dimensional picture of risk for organizations, products, projects, or other items of interest.Correct

A risk matrix is formally defined as a two-dimensional representation that typically places likelihood (probability) on one axis and consequence (impact/severity) on the other axis, creating a grid. This visual format allows organizations, project teams, or product managers to quickly assess and prioritize risks based on their combined likelihood and impact scores.

DA tool for determining risk management decisions for an activity or system.

A tool for determining risk management decisions describes a decision support framework or risk assessment methodology broadly, whereas a risk matrix is specifically a two-dimensional visual representation used to categorize and prioritize risks, not to prescribe decisions.

Concept tested: Definition and purpose of a risk matrix

Source: https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf

Topics

#risk matrix#risk assessment#risk visualization

Community Discussion

No community discussion yet for this question.

Full CISSP Practice