Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
PhilipKwa
Viewer
‎07-28-2025 01:43 AM
‎07-28-2025 01:43 AM

Sample CISSP Questions

I need help with the following :

Imagine you are a cybersecurity analyst for a retail company. The company has assessed that the Single Loss Expectancy (SLE) for a data breach is $500,000. The exposure factor (EF) for such an event is estimated at 0.85, and the Annualized Rate of Occurrence (ARO) is 0.60. Additionally, the residual risk is calculated to be $200,000. Based on these metrics, what would be the resulting Annualized Loss Expectancy (ALE) for a data breach?
A. $255,000
B. $510,000
C. $300,000
D. $425,000

I have got the answer as C ( ALE = SLE × ARO)  = (500,000 x 0.60)

But the sugggested answer is D

Answer: D. $425,000.
Explanation: The Annualized Loss Expectancy (ALE) is calculated by first determining the Single Loss Expectancy (SLE), which is the product of the asset value and the exposure factor (EF). In this case, the SLE would be $500,000 multiplied by 0.85, resulting in $425,000. The ALE is then calculated by multiplying the SLE by the Annualized Rate of Occurrence (ARO), which is 0.60. However, since the ALE is essentially an annualized version of the SLE in this specific scenario, the ALE would also be $425,000. The residual risk of $200,000 is a separate metric that indicates the remaining risk after security measures have been applied and does not directly factor into the ALE calculation for this question.

Can anyone please enlighten me on this ?



Reply
0 Kudos
3 Replies
dcontesti
Community Champion
‎07-28-2025 12:58 PM
‎07-28-2025 12:58 PM

@PhilipKwa 

 

First, where did the question come from????

 

I disagree that the answer is D, I would have answered C.  I have always used ALE=SLE*ARO.  Using the logic in the explanation than A would be the answer, however the SLE is already defined.

 

If this is from ISC2 then I suggest an errata be put in.

 

Others?

 

d

 

Reply
dio
Viewer
‎07-29-2025 05:13 AM
‎07-29-2025 05:13 AM

The question is quite a mess and I think it's best you ignore it.

Even if there was a typo e.g. "The company has assessed that the Asset Value is $500,000." 
We would still do AV * EF * ARO and C would be again correct.

From answer:
"However, since the ALE is essentially an annualized version of the SLE in this specific scenario, the ALE would also be $425,000. "
Also not really an argument or explanation.

Your understanding is correct

Reply
0 Kudos
George_G
Newcomer II
‎08-03-2025 02:00 PM
‎08-03-2025 02:00 PM

I agree, the explanation has too many contradictions. I cannot come up with any scenario where the answer is D.

Reply
0 Kudos