Exam CRISC topic 1 question 732 discussion

D. Risk analysis Risk analysis encompasses the process of identifying, evaluating, and quantifying risk. In the context of the question, risk analysis would consider both the likelihood of malicious users exploiting vulnerabilities and the impact on the organization if such an event occurred. This comprehensive approach helps in quantifying the risk associated with malicious users. Here's a brief overview of the other options: A. Business impact analysis (BIA) focuses on the potential consequences of an event that disrupts a business function. It's more about understanding the effect of disruptions, not specifically about malicious users. B. Threat risk assessment focuses on identifying and assessing threats (like malicious users) but might not fully quantify the risk since it doesn't always include vulnerability assessment or the potential business impact. C. Vulnerability assessment focuses on identifying, quantifying, and prioritizing vulnerabilities in a system. While it can identify weaknesses that malicious users might exploit, by itself, it doesn't quantify the risk related to malicious users.

B. Threat risk assessment A threat risk assessment is the most appropriate method for quantifying the risk associated with malicious users in an organization. Threat risk assessments focus on evaluating the likelihood and potential impact of specific threats or threat actors, such as malicious users, on an organization's assets and operations.

isn't Risk analysis about prop times magnitude?

Malicious users are threat actors, so threat assessment to understand that threat.

Agree.