在确定是否应该实现特定的安全控制时,哪种技术是最有价值的?
A. 风险分析
B. 成本/效益分析
C. 年度损失预期
D. 找出造成风险的漏洞和威胁
Which is the most valuable technique when determining if a specific security control should be implemented?
A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk
答案:B.虽然其他答案似乎是正确的,但B是最好的答案。这是因为风险分析是为了识别风险并提出建议的对策。ALE告诉公司,如果一个具体的威胁变成现实,它会损失多少。ALE的价值将进入成本/效益分析,但ALE不能解决不采取措施的成本和对策的好处问题。在答案A, C和D 中捕获的所有数据都考虑到成本/收益分析中。
Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D is inserted into a cost/benefit analysis.
