10. What is the difference between quantitative and qualitative risk analysis? A. Qualitative analysis uses mathematical formulas and while quantitative analysis does not. B. Purely qualitative analysis is not possible, while purely quantitative is possible. C. Quantitative analysis provides formal cost/benefit information while qualitative analysis does not. D. There is no difference between qualitative and quantitative analysis. 11. Which choice is an accurate statement about standards? A. Standards are the high-level statements made by senior management in support of information systems security. B. Standards are the first element created in an effective security policy program C. Standards are used to describe how policies will be implemented. D. Standards are senior management's directives to create a computer security program. 12. If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets" the risk has all of the following elements except? A. An impact of assets based on threats and vulnerabilities. B. Controls addressing the threats. C. Threats to and vulnerabilities of processes and/or assets. D. Probabilities of the threats. 13. Which of the following should not be a role of the security administrator? A. Authorizing access rights. B. Implementing security rules. C. lnsuring that local policies have been authorized by management. D. Allocating access rights. 14. Which of the following is not accurate regarding the process of risk management? A. The likelihood of a threat must be determined as an element of the risk assessment. B. The level of impact of a threat must be determined as an element of the risk assessment. C. Risk assessment is the first process in the risk management methodology. D. Risk assessment is the final result of the risk management methodology. 15. Which choice below most accurately reflects the goals of risk mitigation? A. Defining the acceptable level of risk the organization can tolerate, and reducing risk to that level. B. Analyzing and removing all vulnerabilities and threats to security within the organization. C. Defining the acceptable level of risk the organization can tolerate, and assigning any costs associated with loss or disruption to a third party such as an insurance carrier. D. Analyzing the effects of a business disruption and preparing the company's response. 16. Which answer below is the best description of Single Loss Expectancy (SLE)? A. An algorithm that represents the magnitude of a loss to an asset from a threat. B. An algorithm that expresses the annual frequency with which a threat is expected to occur. C. An algorithm used to determine the monetary impact of each occurrence for a threat. D. An algorithm that determines the expected annual loss to an organization from a threat. 17. Which choice below is the best description of an Annualized Loss Expectancy (ALE)? A. The expected risk factor of annual threat event, derived by multiplying the SLE by its ARO B. An estimate of how often a given threat event may occur annually. C. The percentile of the value of the asset expected to be lost, used to calculate the SLE. D. A value determined by multiplying the value of the asset by its exposure factor. 18. Which choice below is not an example of appropriate security management practice? A. Reviewing access logs for unauthorized behavior. B. Monitoring employee performance in the workplace. C. Researching information on a new intrusion exploits D. Promoting and implementing security awareness programs. 19. Which choice below is not an accurate description of an information policy? A. Information policy is senior management's directive to create a computer security program. B. An information policy could be a decision pertaining to use of the organization's fax. C. Information policy is a documentation of computer security decisions. D. Information policies are created after the system's infrastructure has been designed and built