My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 2 - Question 1

Scenario: You are the Risk Manager for a data center located in a region known for frequent power surges.

  • The data center equipment is worth $200,000.

  • A major surge happens roughly once every 5 years.

  • When a surge occurs, it typically fries about 25% of the sensitive components.

You’re looking at a high-end Industrial Surge Protection System that costs $8,000 a year to maintain.

Based on the Annual Loss Expectancy (ALE), is this control financially justified?

A. Yes; the ALE is $40,000, which is much higher than the $8,000 control cost.

B. No; the ALE is $10,000, which is only slightly higher than the $8,000 control cost.

C. Yes; the ALE is $10,000, and the control saves the company $2,000 annually.

D. No; the ALE is $5,000, so the $8,000 control costs more than the risk itself.

The Winner: C
Why this is the "Managerial" Answer
In the CISSP world, we don't buy things just because they are "cool" or "secure." We buy them because they make financial sense. To get to answer C, you have to run the three standard formulas:
1. SLE (Single Loss Expectancy): What does it cost if it happens once?
Asset Value ($200,000) X Exposure Factor (0.25) = $50,000
2. ARO (Annualized Rate of Occurrence): How often does it happen in a year?
Once every 5 years = 0.2$$
3. ALE (Annualized Loss Expectancy): What is the "yearly budget" for this risk?
SLE ($50,000) X ARO (0.2) = $10,000
The Logical Breakdown
  • The Risk Cost: It costs the company $10,000 a year on average to just "accept" the surges.
  • The Control Cost: The protection system costs $8,000 a year.
  • The Value: By spending $8,000, you are saving the company $2,000 ($10,000 risk - $8,000 cost).
If the ALE had been $5,000 (Option D), you would actually be losing money by buying the protection. The exam loves to see if you can spot when a "security solution" is actually a "financial bad move."
Why the others are trap answers:
  • A is a math error: It assumes the surge happens every year or misses the Exposure Factor.
  • B is "Correct-ish" but not the best: It gets the math right but fails to draw the final conclusion that the $2,000 saving is the "Value Proposition."
  • D is a math error: It likely miscalculates the ARO or SLE.
The takeaway for your exam? Don't spend more to protect an asset than the asset (or its risk) is worth.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel