CISM Certified Information Security Manager – Question0452

The MOST likely reason to use qualitative security risk assessments instead of quantitative methods is when:

A.
an organization provides services instead of hard goods.
B. a security program requires independent expression of risks.
C. available data is too subjective.
D. a mature security program is in place.

Correct Answer: A