8. Under the NIST SP 800 30 framework, _______ refers to the magnitude of harm that could be caused by a threats exercise of vulnerability.

9. Six risk-mitigation strategies include __________, _____________, _____________, ___________, _______________, and ________________.

10. ____________ specifies the measure of risk in terms of both qualitative and quantitative estimations, while _________________ involves the comparing and prioritization of risk level based on risk-evaluation criteria and risk-acceptance criteria.

11. Common risks to IT architectures and components include: _____________________, ____________________, ___________________, _____________________, ____________________, ___________________, and _____________________.

12. In using Cascarinos Cube, the intention is to determine whether the accumulation of controls intended to mitigate a particular risk to a particular component, would be adequate to:______________________________________________.

13. If the controls identified and located in the Cube function as intended, management may gain the assurance that risk is being controlled to the desired level in an ___________ and __________ manner.

14. In gathering audit evidence, the auditor must ensure that it is _____________, _______________, _______________, and _____________.

15. Evidence derived from computations, comparisons to standards, past operations, and similar operations is known as ____________________ evidence