Question 18 - CertNexus CFR-410 Real Exam Questions [Jan 2026 Update]

Q: 18

A common formula used to calculate risk is: + Threats + Vulnerabilities = Risk. Which of the following represents the missing factor in this formula?

Options

Correct Answer:

Explanation

Risk is fundamentally the potential for loss or damage to an asset. The widely accepted conceptual model for risk requires three components: a threat (the potential for harm), a vulnerability (a weakness that can be exploited), and an asset (the item of value being protected). A threat agent exploits a vulnerability to cause an adverse impact on an asset. Without an asset, the combination of a threat and a vulnerability is meaningless as there is no potential for loss or negative consequence. Therefore, 'Asset' is the essential missing factor in this conceptual formula.

Why Incorrect

A. Exploits: An exploit is the specific method or code used by a threat to take advantage of a vulnerability, not a fundamental component of the risk formula itself.

B. Security: Security consists of the controls and countermeasures implemented to reduce or mitigate risk; it is the solution, not a component of the problem's calculation.

D. Probability: While probability (or likelihood) is a key element in quantitative risk analysis (e.g., Risk = Probability x Impact), 'Asset' is the more fundamental component representing the impact side of the equation in this conceptual model.

References

1. National Institute of Standards and Technology (NIST). (2012). Guide for Conducting Risk Assessments (NIST Special Publication 800-30

Revision 1). Section 2.1

Page 5. This document establishes the foundational concepts of risk

stating that risk is "a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability

and the resulting impact of that adverse event on the organization." The impact is inherently tied to the organization's assets.

2. Massachusetts Institute of Technology (MIT) OpenCourseWare. (2014). 6.858 Computer Systems Security

Fall 2014. Lecture 1: Introduction and Threat Models. Slide 20. The lecture slides present the risk formula as "Risk = Threat x Vulnerability x Cost

" where "Cost" represents the value of the asset being impacted.

3. Stoneburner

Goguen

& Feringa

A. (2002). Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30). Section 2.2

"Risk Assessment

" Figure 2-1. This earlier version explicitly shows the relationship where a Threat-source

if motivated

may exploit a vulnerability

causing an impact on an asset

which constitutes a risk.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE