CISM Certified Information Security Manager – Question0419 - CISM Certified Information Security Manager

A risk analysis should:

A. include a benchmark of similar companies in its scope.
B. assume an equal degree of protection for all assets.
C. address the potential size and likelihood of loss.
D. give more weight to the likelihood vs. the size of the loss.

Correct Answer: C

Explanation:

Explanation:
A risk analysis should take into account the potential size and likelihood of a loss. It could include comparisons with a group of companies of similar size. It should not assume an equal degree of protection for all assets since assets may have different risk factors. The likelihood of the loss should not receive greater emphasis than the size of the loss; a risk analysis should always address both equally.