Key Phrase: "missing patch"

Explanation:

• Correct Answer (C): By applying the patch, Jen has removed the vulnerability that could have been exploited by an attacker, thus reducing the risk.

• Why others are wrong:

  • A: The threat (attacker) still exists, and Jen cannot directly remove the threat.

  • B: She hasn’t reduced the threat, she’s removed the vulnerability that made the threat possible.

  • D: While the vulnerability is reduced, the proper term is "removed" rather than just reduced.

Key Phrase: "install web application firewall"

Explanation:

• Correct Answer (C): Installing a web application firewall reduces the probability of a successful SQL injection attack, though it does not eliminate the vulnerability or threat.

• Why others are wrong:

  • A: The magnitude is not necessarily reduced; the firewall only blocks attacks.

  • B: The vulnerability still exists; only the likelihood is reduced.

  • D: The threat (attackers) still exists; it has not been eliminated.

Key Phrase: "compromise of database"

Explanation:

• Correct Answer (C): The asset value (AV) is the cost that would result from the compromise of the customer database, which includes the potential fines of $500,000.

• Why others are wrong:

  • A: $5,000 is not the value at risk.

  • B: $100,000 is the daily revenue, not the value of the asset at risk.

  • D: $600,000 includes revenue, but it’s the fines from the database breach that matter here.

Key Phrase: "exposure factor of the database"

Explanation:

• Correct Answer (D): The exposure factor (EF) is 100% because the entire asset (the customer database) would be lost in the event of a breach.

• Why others are wrong:

  • A: 5% would indicate minimal loss, which isn’t the case here.

  • B: 20% is too low; it’s not a partial loss.

  • C: 50% would imply only partial loss, but a breach of the database results in full exposure.

Key Phrase: "single loss expectancy"

Explanation:

• Correct Answer (C): The single loss expectancy (SLE) is calculated as the asset value (AV) multiplied by the exposure factor (EF). Here, AV = $500,000 and EF = 100%, so SLE = $500,000.

• Why others are wrong:

  • A: $5,000 is too low for the potential loss.

  • B: $100,000 is the daily revenue, not the value of the asset at risk.

  • D: $600,000 isn’t the correct calculation for SLE.

Key Phrase: "5 percent chance of attack per year"

Explanation:

• Correct Answer (A): The annualized rate of occurrence (ARO) is the likelihood of an event happening per year. A 5% chance per year is expressed as 0.05.

• Why others are wrong:

  • B: 0.20 represents a 20% chance, which is not the case here.

  • C: 2.00 would indicate a very high probability.

  • D: 5.00 would imply a 500% chance, which is not correct.

Key Phrase: "annualized loss expectancy"

Explanation:

• Correct Answer (B): ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, SLE = $500,000 and ARO = 0.05, so ALE = $500,000 * 0.05 = $25,000.

• Why others are wrong:

  • A: $5,000 is too low for the ALE.

  • C: $100,000 is not the correct calculation for ALE.

  • D: $500,000 is the SLE, not the ALE.