A. Risk can be quantified using annual loss expectancy (ALE).

B. The level of risk is greater where the asset value is highest.

C. Risk is derived from one or all of its subcomponents.

D. Without knowing value, risk cannot be calculated.

A. Limits the scope to a benchmark of similar companies.

B. Assume an equal degree of protection for all assets.

C. Address the potential impacts and likelihood of loss.

D. Give more weight to the likelihood vs. the size of the loss.

A. Assessing risk after security controls are in place.

B. Performing a threat analysis.

C. Identification of new risk scenarios after treatment of risk

D. Carrying out a risk transfer

A. The cost of acquisition and implementation of the asset.

B. Knowledge of vulnerabilities present in the asset.

C. The degree of exposure to known threats.

D. The criticality of the business process supported by the asset.

A. Likelihood and impact.

B. Impact and exposure.

C. Asset criticality and sensitivity.

D. Asset value and classification.