CISSP · Question #688
A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following
The correct answer is B. Inherent risk. Inherent risk is the risk that exists in an application or a system before applying any mitigating or compensating controls. Inherent risk represents the worst-case scenario of the potential impact and likelihood of a threat exploiting a vulnerability. Inherent risk is usually as
Question
Options
- ATransferred risk
- BInherent risk
- CResidual risk
- DAvoided risk
How the community answered
(53 responses)- A8% (4)
- B87% (46)
- C2% (1)
- D4% (2)
Explanation
Inherent risk is the risk that exists in an application or a system before applying any mitigating or compensating controls. Inherent risk represents the worst-case scenario of the potential impact and likelihood of a threat exploiting a vulnerability. Inherent risk is usually assessed by using qualitative or quantitative methods, such as risk matrices, risk scales, or risk formulas. Inherent risk helps to identify the areas that need the most attention and resources, and to prioritize the implementation of controls. Inherent risk is different from residual risk, which is the risk that remains after applying the controls, and from transferred risk, which is the risk that is shifted to another party, such as an insurance company or a service provider. Inherent risk is also different from avoided risk, which is the risk that is eliminated by not performing an activity or by changing the scope or objectives of the activity.
Topics
Community Discussion
No community discussion yet for this question.