1. Right Answer: A
Explanation: The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time.Incorrect Answers:B, C, D: All these are outputs from the 'Plan Risk Management' process, which happens prior to the starting of risk identification.

2. Right Answer: D
Explanation: Components of risk scenario that are needed for its analysis are: Actor: Actors are those components of risk scenario that has the potential to generate the threat that can be internal or external, human or non-human. Internal actors are within the enterprise like staff, contractors, etc. On the other hand, external actors include outsiders, competitors, regulators and the market. Threat type: Threat type defines the nature of threat, that is, whether the threat is malicious, accidental, natural or intentional. Event: Event is an essential part of a scenario; a scenario always has to contain an event. Event describes the happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or modification, theft, destruction, etc. Asset: Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those asset that has physical attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible are those asset that has no physical attributes and cannot be detected with the senses, e.g., information, reputation and customer trust. Timing dimension: The timing dimension is the application of the scenario to detect time to respond to or recover from an event. It identifies if the event occur at a critical moment and its duration. It also specifies the time lag between the event and the consequence, that is, if there an immediate consequence (e.g., network failure, immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long period of time).

3. Right Answer: A,C
Explanation: Pilot testing and reviewing of performance data to verify operation against design are done before relying on control.Incorrect Answers:B: Discovering risk exposure helps in identifying the severity of risk, but it does not play any role in specifying the reliability of control.D: Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response. But it does not play any role in identifying whether any specific control is reliable or not.

4. Right Answer: B
Explanation: The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.Incorrect Answers:A, C, D: An enterprise's risk management capability maturity level is 1 when: There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk. Any risk identification criteria vary widely across the enterprise. Risk appetite and tolerance are applied only during episodic risk assessments. Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. Risk management skills exist on an ad hoc basis, but are not actively developed. Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

5. Right Answer: D
Explanation: Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.Incorrect Answers:A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers.C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.