5.3 Explain risk management processes and concepts.

Question 1

Threat

Answer 1

Anything that can harm your resources or could potentially result in a security violation.

Question 2

Vulnerability

Answer 2

Anything that can harm your resources or could potentially result in a security violation.

Question 3

Exploit

Answer 3

The act of taking advantage of an identified vulnerability

Question 4

Threat Vector

Answer 4

A path or a tool that a Threat Actor uses to attack the target.

Question 5

Internal Threat

Answer 5

biggest threat because they know your network.

Question 6

Asset Value (AV)

Answer 6

An asset is defined as any item that has positive economic value.

Question 7

Exposure Factor (EF)

Answer 7

The portion of an assets value that is likely to be damaged or destroyed by a threat

Question 8

Single Loss Expectancy (SLE)

Answer 8

AV x EF = SLE
Asset Value x Exposure Factor = Single Loss Expectancy

Represents how much you could expect to lose should a single event occur

Question 9

Annualized Rate of Occurrence (ARO)

Answer 9

How often an event is expected to occur in a single year.

Often drawn from Historical data.

Question 10

Annualized Loss Expectancy (ALE)

Answer 10

The monetary measure of how much loss a business could expect in a year.

SLE x ARO = ALE
Single Loss Expectancy x Annualized Rate of Occurrance = Annualized Loss Expectancy

Question 11

Suppose that an asset is valued at $100,000 with 25% exposure to a threat.
A threat event is expected to occur twice a year.

Answer 11

100,000 X .25 = 25,000

25,000 x 2 = 50,000

Question 12

Likelihood of Occurrence

Answer 12

Refers to the probability that a threat event will happen

Question 13

Quantitative Analysis

Answer 13

Refers to the clearest measure (Your have receipts)

Question 14

Qualitative Analysis

Answer 14

What you feel its worth.

Question 15

Acceptance

Answer 15

Accepting the threat without any mitigation.

Often the choice that you must make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition.

Question 16

Avoidance

Answer 16

Involves identifying the risk and making the decision to no longer engage in the actions associated with that risk

Question 17

Mitigation

Answer 17

Accomplished any time you take steps to reduce risk

Question 18

Transference

Answer 18

Involves bringing in a third party and share the risk.

INSURANCE is transference

Question 19

Change Management

Answer 19

A methodology for making modifications to a system and keeping track of those changes.
(Documentation of changes)

Question 20

You’re the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing during the year is estimated to be 25 percent. A failure would lead to three hours of downtime and cost $5,000 in components to correct. What is the ALE?

Answer 20

25,000 x 3 = 75,000
75,000 + 5,000 = 80,000
80,000 x .25 = 20,000

$20,000

Question 21

Regarding qualitative versus quantitative measures, which of the following statements is true?
A. Quantitative measures evaluate risk based on a subjective assessment
B. Qualitative measures are less precise
C. Qualitative measures are easier to measure for ROI/RROI
D. Quantitative measures are always better than qualitative measures

Answer 21

B. Qualitative measures are less precise

Question 22

Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk?
A. Accept the risk saving $10,000.
B. Ignore the risk saving $5,000.
C. Mitigate the risk saving $10,000.
D. Transfer the risk saving $5,000.

Answer 22

D. Transfer the risk saving $5,000.