Systems Security Certified Practitioner – SSCP – Question0569

Which of the following statements pertaining to quantitative risk analysis is false?

A.
Portion of it can be automated
B. It involves complex calculations
C. It requires a high volume of information
D. It requires little experience to apply

Correct Answer: D

Explanation:

Assigning the values for the inputs to a purely quantitative risk assessment requires both a lot of time and significant experience on the part of the assessors. The most experienced employees or representatives from each of the departments would be involved in the process. It is NOT an easy task if you wish to come up with accurate values.
“It can be automated” is incorrect. There are a number of tools on the market that automate the process of conducting a quantitative risk assessment.
“It involves complex calculations” is incorrect. The calculations are simple for basic scenarios but could become fairly complex for large cases. The formulas have to be applied correctly.
“It requires a high volume of information” is incorrect. Large amounts of information are required in order to develop reasonable and defensible values for the inputs to the quantitative risk assessment.
References:
CBK, pp. 60-61 AIO3, p. 73, 78 The Cissp Prep Guide -Mastering The Ten Domains Of Computer Security -2001, page 24