CISA Certified Information Systems Auditor – Question2103

Determining the risk for a particular threat/vulnerability pair before controls are applied can be expressed as:

A.
the likelihood of a given threat attempting to exploit a vulnerability
B. a function of the cost and effectiveness of controls over a vulnerability
C. the magnitude of the impact should a threat exploit a vulnerability
D. a function of the likelihood and impact, should a threat exploit a vulnerability

Correct Answer: A