U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

IIBA-CCA Exam - Topic 2 Question 13 Discussion

How is a risk score calculated?
B) Based on the combination of probability and impact
A) Based on the confidentiality, integrity, and availability characteristics of the system
C) Based on past experience regarding the risk
D) Based on an assessment of threats by the cyber security team

IIBA-CCA Exam - Topic 2 Question 13 Discussion

Actual exam question for IIBA's IIBA-CCA exam
Question #: 13
Topic #: 2
[All IIBA-CCA Questions]

How is a risk score calculated?

Show Suggested Answer Hide Answer
Suggested Answer: B

A risk score is commonly calculated by combining two core factors: how likely a risk scenario is to occur and how severe the consequences would be if it did occur. This is often described in cybersecurity risk documentation as likelihood times impact, or as a structured mapping using a risk matrix. Probability or likelihood reflects the chance that a threat event will exploit a vulnerability under current conditions. It may consider elements such as threat activity, exposure, ease of exploitation, control strength, and historical incident patterns. Impact reflects the magnitude of harm to the organization, usually measured across business disruption, financial loss, legal or regulatory exposure, reputational damage, and harm to confidentiality, integrity, or availability.

While confidentiality, integrity, and availability are essential for understanding what matters and can influence impact ratings, they are typically inputs into impact determination rather than the full scoring method by themselves. Past experience and expert threat assessment can inform likelihood estimates, but they are not the standard calculation model on their own. The key concept is that risk must reflect both chance and consequence; a highly impactful event with very low likelihood may be scored similarly to a moderate impact event with high likelihood depending on the organization's methodology.

Therefore, the most accurate description of how a risk score is calculated is the combination of probability and impact, enabling prioritization and consistent risk treatment decisions.


Contribute your Thoughts:

0/2000 characters

Currently there are no comments in this discussion, be the first to comment!


Save Cancel