What risk management metric is Tom trying to lower by enabling an application firewall?

By enabling an application firewall, Tom is primarily trying to lower the likelihood of a successful security breach or attack on the application. Application firewalls act as a barrier between the application and potential threats, filtering out malicious traffic and preventing unauthorized access.

In risk management, likelihood refers to the probability that a given threat will exploit a vulnerability and cause harm. By implementing an application firewall, Tom is specifically aiming to reduce the chance that attackers can successfully compromise the application, thus decreasing the overall risk associated with potential vulnerabilities.

Other metrics like impact, RPO (Recovery Point Objective), and MTO (Maximum Tolerable Outage) do not directly relate to lowering the probability of an attack, which is the primary focus of implementing an application firewall. Instead, these metrics are concerned with the consequences of an incident or the organization’s ability to recover from it, rather than the frequency of the threat occurring.