During a risk evaluation of core information systems, the team decides to ignore any scenario involving a severe, organization-wide outage because such events are considered unlikely. Which of the following is the most probable consequence of leaving these high-impact scenarios out of the analysis?
It has no effect on the final risk rating because low-probability events are discounted by default.
It can cause the organization to underestimate impact severity, leading to inadequate prioritization and funding of mitigation efforts.
It guarantees compliance with NIST SP 800-30 by focusing the assessment scope on realistic events only.
It will automatically assign a HIGH rating to every identified risk, inflating overall remediation costs.
Risk methodologies such as those outlined in NIST SP 800-30 stress that analysts must consider severe but plausible threat scenarios-natural disasters, utility failures, cyber-events-that can disable critical services for extended periods. Excluding them typically understates the potential impact column in the risk matrix, resulting in lower-than-appropriate risk scores and misaligned mitigation budgets. Including severe outage scenarios allows more accurate severity ratings and ensures resources are reserved for the most damaging risks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a risk framework in the context of security assessments?
Open an interactive chat with Bash
Why is it critical to include widespread outage scenarios in risk evaluations?
Open an interactive chat with Bash
What are some common consequences of skipping large-scale outage analysis in a risk evaluation?