1. Right Answer: A
Explanation: Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66.Therefore, when the asset is completely lost, the Exposure Factor is 1.0.Incorrect Answers:B, C, D: These are not the values of exposure factor for zero assets.

2. Right Answer: D
Explanation: This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.Incorrect Answers:A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen.B: This is an example of a positive risk, but positive is not a risk response.C: Opportunistic is not a valid risk response.

3. Right Answer: D
Explanation: A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas.The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are: Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat.The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year.ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.

4. Right Answer: A,B,D
Explanation: An enterprise's risk management capability maturity level is 3 when:Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized. There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise. The business knows how IT fits in the enterprise risk universe and the risk portfolio view. Local tolerances drive the enterprise risk tolerance. Risk management activities are being aligned across the enterprise. Formal risk categories are identified and described in clear terms. Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. Defined requirements exist for a centralized inventory of risk issues. Workflow tools are used to accelerate risk issues and track decisions.Incorrect Answers:C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.

5. Right Answer: A
Explanation: Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc.Incorrect Answers:B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/ she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.