IIBA-CCA Exam - Topic 2 Question 11 Discussion

In NIST-style risk assessment, overall likelihood is not a single guess; it is derived by considering two related likelihood components. First is the likelihood that a threat event will be initiated. This reflects how probable it is that a threat actor or source will attempt the attack or that a threat event will occur, considering factors such as adversary capability, intent, targeting, opportunity, and environmental conditions. Second is the likelihood that an initiated event will succeed, meaning the attempt results in the adverse outcome. This depends heavily on the organization's existing protections and conditions, including control strength, system exposure, vulnerabilities, misconfigurations, detection and response capability, and user behavior.

Option A matches this structure: analysts evaluate both attack initiation likelihood and initiated attack success likelihood to reach an overall view of likelihood. A high initiation likelihood with low success likelihood might occur when an organization is frequently targeted but has strong defenses. Conversely, low initiation likelihood with high success likelihood might apply to niche systems that are rarely targeted but poorly protected.

The other options are incomplete or misplaced. Risk impact is a separate dimension from likelihood, and mitigation strategy is an output of risk treatment, not an input to likelihood. Site traffic and commerce volume can influence exposure but do not define likelihood by themselves. Past experience and trends are useful evidence, but they support estimating the two likelihood components rather than replacing them.