Which of the following is a qualitative approach to risk ana - CompTIA Security+ SY0-701
Question
Which of the following is a qualitative approach to risk analysis?
Answers
-
-
-
correct
-
Explanation
Correct Answer: C. Assigning a level of high, medium, or low to the risk rating. Qualitative risk analysis focuses on subjective, descriptive assessments of risks rather than numerical calculations. Assigning risk levels such as “high,” “medium,” or “low” is a clear example of this approach. These labels are based on expert judgment, interviews, or workshops rather than strict statistical data. Organizations often use this method when exact numerical data is unavailable or when quick prioritization is needed. The process emphasizes relative severity and likelihood, enabling decision-makers to focus resources on the most pressing risks without needing detailed calculations. While it lacks precision compared to quantitative methods, qualitative analysis is valuable for creating accessible and actionable assessments, especially for nontechnical stakeholders. It is commonly used in initial stages of risk management, often in the form of heat maps or risk matrices, to visually communicate risk levels across the organization. This makes it an essential component of comprehensive risk analysis.
Why Other Options are Incorrect:
-
A. Including the MTTR and MTBF as part of the risk assessment is quantitative because MTTR (Mean Time to Repair) and MTBF (Mean Time Between Failures) are measurable, numerical metrics.
-
B. Tracking and documenting network risks using a risk register is an organizational tool for risk management, but it does not inherently qualify as qualitative unless risks are assigned subjective ratings. By itself, it’s simply recordkeeping.
-
D. Using ALE and ARO to help determine whether a risk should be mitigated is quantitative because ALE (Annualized Loss Expectancy) and ARO (Annualized Rate of Occurrence) rely on numerical calculations to estimate financial impact and frequency of risks.
No Payment Cards Needed
