How residual risk can be determined? 

Answer options:

A. By determining remaining vulnerabilities after countermeasures are in place.
B. By transferring all risks.
C. By threat analysis
D. By risk assessment

D

All risks are determined by risk assessment, regardless whether risks are residual or not. Incorrect Answers: A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined. B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management. C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.