What type of vulnerability assessment identifies the worst-case unmitigated risk?

The correct choice is a Cyber Risk Assessment, as this type of assessment is designed to evaluate the potential risks to an organization's information systems and identify the worst-case unmitigated risk. In a Cyber Risk Assessment, various factors are considered, including the likelihood of different types of cyber threats and the potential impact on critical assets. This comprehensive analysis helps organizations understand not just the vulnerabilities that exist, but the severity of the consequences if those vulnerabilities are exploited without any mitigation measures in place.

The Cyber Risk Assessment methodology often involves risk calculation, combining both the probability of an attack occurring and the potential impact on the organization. By doing this, it allows organizations to prioritize their cybersecurity efforts and allocate resources effectively to address their most significant risks.

In contrast, Penetration Testing generally simulates attacks to identify exploitable vulnerabilities but focuses on the organization's current security posture rather than revealing unmitigated risk levels. A Gap Assessment is aimed at identifying discrepancies between current security measures and best practices or compliance standards without explicitly quantifying risks. Similarly, a Passive Assessment involves observing systems and networks without direct interaction to identify potential vulnerabilities, but it does not quantify or evaluate the risk involved in the same way a Cyber Risk Assessment does. Thus, to identify the worst-case unmit