Which process includes assessing and prioritizing threats to reduce the potential impact on an organization?
Correct Answer: D
Comprehensive and Detailed Explanation From Exact Extract:
Risk management is the structured process an organization uses to identify, assess, prioritize, and respond to risks (including cybersecurity threats) in order to reduce their potential impact on operations, assets, and objectives. It typically involves:
Identifying risks and threats
Assessing likelihood and impact
Prioritizing risks based on that assessment
Selecting and implementing controls or mitigation strategies
Monitoring and reviewing residual risk over time
In the context of Information Technology Management, risk management ensures that limited resources are focused on the most significant threats, balancing security, cost, and business needs.
Why the other options are incorrect:
A . Threat modeling - Focuses on identifying and analyzing potential threats and attack paths, usually during system or application design. While related, it does not cover the full cycle of prioritizing and managing overall organizational risk.
B . Penetration testing - Involves simulated attacks to find vulnerabilities, but it is a testing technique, not a complete process for assessing and prioritizing threats and impacts.
C . Cyber hygiene - Refers to routine best practices (patching, password management, backups) to maintain security. It is a set of practices, not a formal process for assessing and prioritizing threats.
Therefore, the correct answer is D. Risk management, as it explicitly includes assessing and prioritizing threats to reduce potential organizational impact.
Reference: