Chapter 111 · Quiz

Risk Analysis — Quiz

Ten questions covering qualitative vs. quantitative methods, SLE and ALE formula calculations, exposure factor, risk appetite vs. tolerance, impact categories, and the risk register.

1. A laptop valued at $2,000 is stolen from a company vehicle. The entire laptop and its contents are lost with no recovery. What is the Single Loss Expectancy (SLE) for this incident?
2. An organization loses an average of 5 laptops per year to theft. Each stolen laptop has an SLE of $1,500. What is the Annualized Loss Expectancy (ALE), and how does this figure inform the security budget decision?
3. A risk assessment uses a traffic light grid with green, yellow, and red cells to display risk factors like legacy systems, untrained staff, and missing antivirus across dimensions of impact, likelihood, and control cost. What type of risk assessment is this?
4. A server worth $50,000 is partially damaged in a fire. Forensic engineers determine that 40% of the server's value was destroyed. What is the Exposure Factor (EF) and the Single Loss Expectancy (SLE) for this incident?
5. An organization's board states that they have a "conservative" risk appetite. The CISO later explains that the company will accept a 5% variance above the stated appetite before escalating for board action. Which concept describes the 5% variance, and how does it differ from risk appetite?
6. A ransomware attack encrypts an entire hospital's patient scheduling and billing systems for 72 hours. The financial loss from lost billing is $200,000. Which impact category takes the highest priority during incident response, regardless of the financial figure?
Matching: Quantitative Risk Terms

Match each term (1–4) to its correct definition (A–D).

1ARO (Annualized Rate of Occurrence)
2Exposure Factor (EF)
3SLE (Single Loss Expectancy)
4ALE (Annualized Loss Expectancy)
AThe percentage of an asset's value expected to be lost in a single incident; ranges from 0.0 (no loss) to 1.0 (total loss)
BThe expected annual financial impact of a recurring threat, calculated as the product of how often the incident occurs and how much each occurrence costs
CHow many times per year a specific threat event is expected to occur; used to convert single-incident cost into an annual financial figure
DThe monetary loss expected from a single occurrence of a specific threat against a specific asset; calculated as asset value multiplied by exposure factor