B. Estimated savings resulting from reduced risk exposure.
While all the options listed (A, B, C, and D) are valuable for risk management decision-making, estimated savings resulting from reduced risk exposure provides a direct link between risk management efforts and potential financial benefits. This information helps organizations assess the return on investment (ROI) for implementing specific risk mitigation measures.
The correct answer is (D.) Quantification of threats through threat modeling is the correct answer as threat modeling identifies the threat and quantification lets you know the likelihood and impact which is needed for the decision-making process.
Rationale:
A. Results of a vulnerability assessment says what is vulnerable, but don't provide the context as to which to resolve.
B. Estimated savings resulting from reduced risk exposure money is important, but this is too early in the stage for this.
C. Average cost of risk events is incorrect cause money is important, but this is too early in the stage for this.
Effective risk management decision-making relies on understanding the business impact of mitigating risks.
Estimated savings from reduced risk exposure:
Provide a clear cost-benefit view
Help prioritize controls and investments
Support communication with senior management and stakeholders
ISACA emphasizes that risk-informed decisions should be made using quantitative, value-driven data — especially related to financial impact and risk reduction.
The answer is B. Risk management decision-making requires actionable, business-focused information. Estimated savings from reduced risk exposure provide a clear, quantifiable measure of the financial benefits of mitigating risks. This aligns with CISM's emphasis on linking risk management to business objectives and demonstrating the value of risk mitigation to stakeholders.
This provides a clear financial basis for decision-making, allowing decision-makers to assess the value of mitigating a risk versus the cost of implementing controls. Understanding how much money can be saved by reducing the exposure to risk helps prioritize risk management actions and allocate resources effectively.
it is D. Yes, quantifying threats through threat modeling is considered a key part of the risk management decision-making process, as it allows organizations to identify, analyze, and prioritize potential security risks by assigning numerical values to the likelihood and impact of different threats, enabling informed decisions about mitigation strategies and resource allocation.
D. Quantification of threats through threat modeling
Quantification of threats through threat modeling provides the most comprehensive information for supporting risk management decision-making. This approach not only identifies potential threats but also assesses their likelihood and potential impact in a structured manner. By understanding the specific threats to assets and evaluating their severity and probability, decision-makers can prioritize security measures more effectively. This allows for a strategic allocation of resources to address the most significant risks, ensuring that mitigation efforts are both efficient and effective.
The results of a vulnerability assessment provide critical information regarding the potential weaknesses in an organization's systems and infrastructure. This information can be used to prioritize risk management efforts and allocate resources effectively. Vulnerability assessments can help identify potential security gaps and provide insights on how to address them, allowing organizations to make informed decisions about risk management. While the other options may provide useful information, they do not directly support risk management decision-making to the same extent as vulnerability assessment results.
A. Results of a vulnerability assessment would be the best information to support risk management decision making. Vulnerability assessments provide an inventory of vulnerabilities, as well as their likelihood of exploitation and potential impacts. This information can be used to determine which vulnerabilities should be addressed first and how to allocate resources to best mitigate risk.
Vulnerability assessment does not include the likelihood of it being exploited. That is done in the risk analysis process which uses vulnerability assessment as an input.
A is my answer. I feel like understanding the results of a vulnerability assessment helps with risk management. Risks are in the form of vulnerabilities and threats.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
oluchecpoint
Highly Voted 1 year, 9 months agodark_3k03r
Highly Voted 2 years agonezeranonymous
Most Recent 2 weeks, 1 day agohohan
4 months, 2 weeks agoVishalgupta26
5 months, 2 weeks ago5fd6335
7 months agohelg420
1 year ago[Removed]
1 year, 6 months agoDavoA
1 year, 10 months agorichck102
2 years agomad68
2 years ago[Removed]
1 year, 11 months agoAbhey
2 years agodark_3k03r
2 years agodedfef
2 years, 2 months agoProspect57
2 years, 4 months ago