SecProve

Frequency-vs-impact

Risk math requires keeping likelihood and impact distinct. The trap offers an answer that conflates the two — usually treating a high-frequency low-impact event the same as a low-frequency high-impact one.

Most common in
CISSPCRISCCISMSecurity+

The Trap in One Sentence

You confused likelihood with impact in risk math. ARO ≠ ALE; high-frequency ≠ high-impact. The risk equation needs both kept distinct.

Pairs Candidates Confuse

ARO (annualized rate)vsALE (annualized loss expectancy)

How often per year vs total $ per year

ALEvsSLE

Per year vs per occurrence

High-frequency phishingvsLow-frequency targeted attack

Volume vs severity

How to Avoid It

  • Write out the risk equation (Risk = Likelihood × Impact) before answering risk-quant questions.
  • ARO is a count; ALE and SLE are dollar amounts; never substitute them.
  • High-impact / low-likelihood = transfer or accept; high-likelihood / low-impact = mitigate with controls.

Frequently Asked Questions

How do I recognize a frequency-vs-impact trap in an exam question?

When the choices include risk-quantification terms (ARO, ALE, SLE, EF) or descriptions that mix frequency with monetary impact, the question is testing whether you keep likelihood and impact distinct. The trap conflates them — usually treating a high-frequency low-impact event as high risk, or vice versa.

What's the tell-tale stem phrasing that signals this trap?

Numeric stems: "the event occurs twice a year and costs $50,000 per occurrence," "the asset value is $1M and the exposure factor is 0.2." These are quantitative risk math, and you have to use the formula. Stems describing likelihood and impact separately are usually setting up ALE = SLE × ARO.

If two risk-quant answers both seem to fit, how do I decide?

Write out the formula: SLE = Asset Value × Exposure Factor. ALE = SLE × ARO. Risk = Likelihood × Impact. ARO is a count (events/year); ALE and SLE are dollar amounts. Never substitute them. Whatever the stem asks for, plug into the matching formula.

What's a real example of a frequency-vs-impact trap?

Stem: "Asset value $200,000, exposure factor 25%, expected to occur 4 times per year. What is the ALE?" Choices: (a) $50,000, (b) $200,000, (c) $800,000, (d) 4. SLE = $200,000 × 0.25 = $50,000. ALE = $50,000 × 4 = $200,000. The answer is (b). Picking (a) is the standard miss because it's the SLE not the ALE; picking (c) miscalculates by skipping EF.

How is frequency-vs-impact different from acronym-confusion?

Frequency-vs-impact is the deeper conceptual trap — you confused the dimensions of risk. Acronym-confusion is the surface version — you confused the letters of the acronyms. Many ALE/SLE/ARO questions exploit both, but the diagnostic is different: frequency-vs-impact wants you to know what each acronym MEASURES, not just what it stands for.

Why do item writers love this distractor mechanism?

Risk quantification is the cleanest discriminator on management certs because it requires both vocabulary AND arithmetic. Candidates who can recite the acronym definitions but can't run the formula will miss these reliably. The arithmetic is trivial; the conceptual setup is the hard part.

Where does this trap show up most often?

CRISC built around it — risk-quant is the cert's spine. CISSP Domain 1 (Risk Management). CISM for risk-treatment math. Sec+ Domain 5 (Governance) features it on the few quantitative items. ISO 31000-aligned questions test it too.

How do I deliberately drill against this archetype?

Use the trap drill linked from the section above to focus reps on this pattern. Memorize the three formulas: SLE = AV × EF, ALE = SLE × ARO, Risk = Likelihood × Impact. Practice plugging numbers into each on 10-15 fast-fire problems before exam day. The math is easy once the formulas are reflexive.

Practice Against This Trap

13 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.

Run a Frequency-vs-impact trap drill →

Related Traps