Risk Management

A small business cannot afford sophisticated security tools but needs to prioritize which risks to address first. The owner rates risks as "High" if they could cause business closure, "Medium" if they cause operational disruption, and "Low" if they cause minor inconveniences. Which risk analysis approach is being used?

A company discovers that a legacy system has critical vulnerabilities that could expose employee data. Replacing the system would cost $500,000, but a data breach would only cost approximately $50,000 in fines. After reviewing the costs, management decides not to replace the legacy system. Which risk response strategy is being implemented?

A company calculates that if their server is breached, the cost will be $2 million in fines. After implementing firewalls, encryption, and employee security training, they calculate that the potential for fines has now been reduced to $200,000. No further mitigations are possible. What is the best description of the $200,000 figure?

A risk manager for a company conducts a Business Impact Analysis (BIA). They identify the following metrics for a critical server: Mean Time Between Failures (MTBF) of 2,500 hours Mean Time to Repair (MTTR) of 4 hours Maximum Tolerable Downtime (MTD) of 24 hours Recovery Time Objective (RTO) of 6 hours What should the risk manager prioritize?

A retail company is selecting a new cloud payment processor to handle millions of customer credit card transactions. Before signing the contract, the security team reviews the cloud company's financial stability, requests their ISO 27001 audit report, and verifies their PCI DSS compliance. What is this pre-contract investigation called?

A technology startup is negotiating with a potential business partner to develop a new product. Before sharing their proprietary algorithms and trade secrets, they require the partner to sign a legal agreement promising not to disclose confidential information to third parties. What type of legal document should be used?

A company spends $100,000 annually on a Security Operations Center (SOC) that prevents an estimated $600,000 in cyberattack damages each year. What metric should the Chief Financial Officer (CFO) use to demonstrate the value of the SOC to the company's shareholders?

A large healthcare organization is considering a partnership with a medical software provider. The organization wants to ensure they document the expectations for the medical software provider, and the penalties if the medical provider does not achieve those expectations. Which document should be used?

An organization hires an external security firm to conduct penetration testing of their network. The contract includes a detailed document specifying which IP addresses can be tested, what testing methods are prohibited, and that testing must occur only during business hours to avoid disrupting operations. What is this scope-defining document called?