You are working in an enterprise. You enterprise is willing to accept a certain amount of risk. What is this risk called?

• A.Hedging
• B.Aversion
• C.Appetite
• D.Tolerance

Correct Answer: C

Explanation/Reference:
Explanation:
Risk appetite considers the qualitative and quantitative aspects of accepting risks in an organization. The term refers to the type of risks the organization is willing to pursue, as well as amount of risk and the level of risk.
Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission.
This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.

The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the

enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
A, B: Aversion and hedging are related to each other and represents the avoidance of risk within the organization.
D: The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders.
A process should be in place to review and approve any exceptions to such standards.

Comment: *

Name: *

Email: *

Verification: *

You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?

• A.$ 2,160,000
• B.$ 95,000
• C.$ 108,000
• D.$ 90,000

Comment: *

Name: *

Email: *

Verification: *

You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?

• A.Acceptance
• B.Mitigation
• C.Avoidance
• D.Contingent response

Correct Answer: D

Explanation/Reference:
Explanation:
Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
Incorrect Answers:
A: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to

accept the consequences of the risk.
Active acceptance is the second strategy and might include developing contingency plans and reserves

to deal with risks.
B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level.
Risk mitigation can utilize various forms of control carefully integrated together. The main control types are:
Managerial(e.g.,policies)

Technical (e.g., tools such as firewalls and intrusion detection systems)

Operational (e.g., procedures, separation of duties)

Preparedness activities

C: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.

Comment: *

Name: *

Email: *

Verification: *

Which of the following IS processes provide indirect information?
Each correct answer represents a complete solution. Choose three.

• A.Post-implementation reviews of program changes
• B.Security log monitoring
• C.Problem management
• D.Recovery testing
• E.Explanation:
  Security log monitoring, Post-implementation reviews of program changes, and Problem management provide indirect information. Security log monitoring provide indirect information about certain controls in the security environment, particularly when used to analyze the source of failed access attempts. Post-implementation reviews of program changes provide indirect information about the effectiveness of internal controls over the development process. Problem management provide indirect information about the effectiveness of several different IS processes that may ultimately be determined to be the source of incidents.

Comment: *

Name: *

Email: *

Verification: *

Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?

• A.Scenario analysis
• B.Sensitivity analysis
• C.Fault tree analysis
• D.Cause and effect analysis

Comment: *

Name: *

Email: *

Verification: *