Why would an organization perform a quantitative risk analysis for network security threats?

Why would an organization perform a quantitative risk analysis for network security threats?

• so that management has documentation about the number of security attacks that have occurred within a particular time period
• so that management can determine the number of network devices needed to inspect, analyze, and protect the corporate resources
• so that the organization knows the top areas where network security holes exist
• so that the organization can focus resources where they are most needed

Explanation: Quantitative risk analysis takes the top threats, assigns a cost value to each threat if it actually occurred, and orders the list from most expensive to least expensive. This priority list allows management to determine where to apply current resources to the threat or threats that would cost the most to the organization. The quantitative risk analysis is based on cost, but this should not be the only criterion applied when, for example, evaluating a system that provides or involves national security.

Exam with this question: Checkpoint Exam: Vulnerability Assessment and Risk Management