ISC2 CISSP Practice Question

The correct answer is Quantitative risk assessment. Quantitative risk assessment methodologies provide objective metrics through the use of numerical data and mathematical calculations to evaluate risk. This approach allows for consistent measurement across different business units and meaningful comparisons over time because it relies on concrete values rather than subjective judgments.

Quantitative assessments typically involve calculations such as Annual Loss Expectancy (ALE), Single Loss Expectancy (SLE), and Return on Security Investment (ROSI). These metrics enable organizations to prioritize risks based on measurable impact and probability values.

Qualitative risk assessment uses subjective ratings (like high, medium, low) based on expert judgment rather than concrete metrics, making consistent comparison difficult across business units. Hybrid risk assessment combines elements of both but wouldn't fully satisfy the requirement for objective metrics. Residual risk assessment focuses on evaluating the risk that remains after security controls are implemented, not specifically on providing comparable metrics.