What is NOT an aspect of Risk Management?

A. Risk Assessment
B. Risk Mitigation
C. Risk Amplification
D. Risk Monitoring

Answer: C

Explanation:

A. Risk Assessment

Risk Assessment is the identification and analysis of relevant risks to the achievement of objectives.

• The Process: It involves identifying threats and vulnerabilities, and then determining the Likelihood and Impact of a threat exploiting a vulnerability.

• The Output: Assessments can be Quantitative (using dollar values like ALE = SLE

•   Qualitative (using scales like High/Medium/Low). 

B. Risk Mitigation

Once a risk is assessed, the organization must decide how to handle it. Risk Mitigation (also called Risk Reduction) is the most common response.

• The Action: Implementing security controls (like firewalls, training, or locks) to reduce the likelihood or impact of a risk to an acceptable level.

• The Goal: To reduce the Residual Risk until it is equal to or less than the organization's Risk Appetite.

C. Risk Amplification

This is the correct answer because it is not a technical term in the CISSP Risk Management framework.

• Why it's the Answer: While "Social Amplification of Risk" is a concept in psychology and sociology, it is not a standard phase of the NIST or ISO risk management cycles. In security, our goal is to reduce or manage risk, never to amplify it.

D. Risk Monitoring

Risk management is not a "one and done" activity; it is a continuous lifecycle.

• The Goal: To detect changes in the risk environment. This includes tracking new vulnerabilities, changes in the threat landscape, or the effectiveness of existing controls.

• The Tools: Using Key Risk Indicators (KRIs), security audits, and automated monitoring tools to ensure that the risk posture remains within acceptable bounds over time.