(A) Incorrect — low vulnerability reduces risk but does not eliminate it when threat and impact are extreme.

(B) Incorrect — risk factors are multiplied, not averaged; one extreme factor significantly elevates the overall result.

(D) Incorrect — zero vulnerability is impossible; there is always residual risk.

(A) Reversed — threats are the danger source; vulnerabilities are the weaknesses.

(C) Incorrect — they are distinct concepts that combine to create risk.

(D) Incorrect — both threats and vulnerabilities can be internal or external.

(A) This is risk MITIGATION — reducing the probability or impact through controls.

(C) This is risk ACCEPTANCE — acknowledging the risk and choosing not to act.

(D) This is risk AVOIDANCE — eliminating the activity or exposure that creates the risk.

(B) Incorrect — SLE is the cost per incident, not the annual expected loss.

(C) Incorrect — the formula is multiplication, not division.

(D) Incorrect — division produces an incorrect result; the formula is ALE = SLE × ARO.

(A) Incorrect — a score of 8/25 with catastrophic impact is above the typical acceptance threshold on most risk matrices.

(C) Incorrect — score 8 does not reach critical (which would be 20-25); immediate shutdown is disproportionate to the likelihood.

(D) Incorrect — IoT/OT systems like HVAC are absolutely within cybersecurity scope, especially when they control environments for sensitive assets.

(A) Incorrect — inherent risk is the pre-control level; the question asks about the post-control level.

(B) Incorrect — purchasing a product is mitigation, not transfer; risk transfer requires shifting financial liability.

(D) Incorrect — risk cannot be eliminated entirely; residual risk always exists.