In a five-element risk scoring method that includes measuring negative outcomes, repetition complexity, compromise difficulty, scope of user impact, and openness, a new flaw can lead to severe consequences, but the number of systems affected is unknown. Which factor is most important to highlight for the client?
The measure that focuses on how rapidly the same attack can be repeated
The measure that focuses on how widely the issue is recognized
The measure that focuses on the breadth of impacted resources
The measure that focuses on severity of harm to the organization
The strongest reason to emphasize the factor focusing on the severity of harm is that it addresses the potential financial and operational damage. Although the overall number of affected targets may be unknown, the significant negative outcome makes the severity of harm the top priority. Focusing on how many users could be impacted (an impact scope factor) or how quickly the vulnerability can be exploited (a complexity factor) does not override the assessment of how devastating the consequences could be. Visibility (how widely the weakness is recognized) is also less important when large harm is clearly established.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'severity of harm' mean in a risk scoring method?
Open an interactive chat with Bash
Why is the severity of harm more important than the scope of impact in this case?
Open an interactive chat with Bash
How does 'complexity of exploitation' differ from 'severity of harm' in risk scoring?