Encryption - Likelihood vs Impact

lardo11lardo11 Registered Users Posts: 3 ■□□□□□□□□□
Hi everyone, I'm studying for the CISSP and hoping to take it soon. I took a practice test out of a book, and it had a question that I'm not too sure about what the correct answer is, and I'm not sure I agree with what the answer key says. Here is the question:

Renee is using encryption to safeguard sensitive business secrets when in transit over the Internet. What risk metric is she attempting to lower?
A. Likelihood
B. RTO
C. MTO
D. Impact

Obviously the middle two are wrong. I can see why both A and D would be considered correct, but I thought that D would be the better answer, because it reduces the impact of having the data intercepted, because the attacker wouldn't be able to access the cleartext. The answer key says A is correct because "Using encryption reduces risk by lowering the likelihood that an eavesdropper will be able to gain access to sensitive information."

Am I wrong in my reasoning?

Comments

  • djcarterdjcarter Member Posts: 44 ■■□□□□□□□□
    They probably were approaching likelihood of it getting intercepted, versus the way you looked at it as reading or exposure.
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    likelihood and impact are both true, but likelihood is the better answer because it comes first IMO. unless someone gets the encryption key, you're using something like DES (not 3DES), or your password is "password" - good encryption drops likelihood down to all but zero. impact is also zero since nothing bad is going to happen, but you need likelihood to exist before any impact hits, so i'd focus on likelihood being the right one.

    a classic example of both answers are right, but what was the person who wrote the question thinking at that particular moment he was writing the answer key.....
  • lardo11lardo11 Registered Users Posts: 3 ■□□□□□□□□□
    Thank you for the answer, the explanation about likelihood coming before impact makes sense. That was definitely a frustrating question to get wrong!
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    Agreed with A being the correct answer. The 'likelihood' is reduced by using encryption but the way I interpret it, the 'impact' doesn't change if the data is intercepted and able to be read. In this context I feel that D doesn't apply.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Think of it this way...encrypting the information does not lower the impact if that information can be acquired by somebody...if the information was a trade secret it will still cause the same damage because it is still a trade secret. By using encryption it WOULD lower the likelihood of being intercepted.

    Questions like this can be very tricky but you have to get to the root of the question.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Technically it does lower the impact because if someone acquired the information and they are using a strong algorithm, then all they will see is obfuscated text.

    Likelihood is the better answer though. As 636 said, it comes first and has a bigger effect on likelihood.
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Yep, that is one thing with the exam, there are usually 2 you can cross off right away, then figure out the best answer. If you see one first and say it's right, always take the time to check the other answers, as one could easily be "more right".
  • lardo11lardo11 Registered Users Posts: 3 ■□□□□□□□□□
    These are all good answers, thank you everybody. I just took the official ISC2 Sybex practice test and got an 84%, so I think I'm about ready to take the exam. Wish me luck!
Sign In or Register to comment.