Domain 1: Risk Analysis

Question 1

• Valuable resources that need protection

- i.e. data, systems, people, buildings, property, etc.

Answer 1

Assets

Question 2

• Potentially harmful occurrence

- i.e. hacker, earthquake, power outage, etc.

Answer 2

Threat

Question 3

A weakness that can allow a threat to cause harm

Answer 3

Vulnerability

Question 4

Formula to calculate risk:

Answer 4

Risk = Threat * Vulnerability

Question 5

Variables that represent the severity of damage, sometimes expressed in dollars.

Answer 5

Impact

Question 6

What other variable is sometimes added to the risk equation?

Answer 6

Risk = Threat * Vulnerability * Impact

Question 7

Uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have.

Answer 7

Risk Analysis Matrix

Question 8

Calculation that allows you to determine the annual cost of a loss due to a risk.

Answer 8

Annualized loss expectancy (ALE)

Question 9

The value of the assets you are trying to protect

Answer 9

Asset Value (AV)

Question 10

Percentage (%) of value an asset loses due to an incident

Answer 10

Exposure Factor (EF)

Question 11

• Calculated by AV * EF

- The cost of a single loss

Answer 11

Single-Loss Expectancy (SLE)

Question 12

The number of losses suffered per year

Answer 12

Annual Rate of Occurrence (ARO)

Question 13

• Calculated by SLE * ARO

- Yearly cost due to a risk

Answer 13

Annualized Loss Expectancy (ALE)

Question 14

The overall cost associated with mitigation using a safeguard.

Answer 14

Total Cost of Ownership (TCO)

Question 15

The amount of money saved by implementing a safeguard

Answer 15

Return on Investment (ROI)

Question 16

If the annual Total Cost of Ownership (TCO) is less than your ALE

Answer 16

Your have a positive ROI and have made a good choice with your safeguard implementation

Question 17

If the annual Total Cost of Ownership (TCO) is higher than your ALE

Answer 17

You’ve made a poor choice as it relates to safeguard implementation

Question 18

What three factors play a big part in determining the cybersecurity budget?

Answer 18

1. Risk analysis
2. Total Cost of Ownership (TCO)
3. ROI

Question 19

• Risk choice
• Sometimes it is cheaper to leave an asset unprotected, rather than make the effort and spend the money to protect it.
• Risks assessed as low likelihood are candidates for this risk

Answer 19

Accept the Risk

Question 20

• Risk choice

- Lowering a risk to an acceptable level

Answer 20

Mitigating Risk

Question 21

• Risk choice
• Risk is moved to another entity allowing them to handle the liability
• i.e. Insurance companies they are experts in handling risks

Answer 21

Transferring Risk

Question 22

• Risk choice
• The process of choosing an alternate option that has less risk associated with it,
• i.e. Choosing to locate a business in Arizona instead of Florida to avoid hurricanes

Answer 22

Risk Avoidance

Question 23

• Risk choice

- Denying that a risk exists (not acceptable)

Answer 23

Risk Rejection

Question 24

The lowering of risk

Answer 24

Risk Reduction

Question 25

The risk management process

Answer 25

Risk Analysis

Question 26

The amount of risk an organization would face if no safeguards were implemented

Answer 26

Total Risk

Question 27

Formula for total risk

Answer 27

Threats * vulnerabilities * asset value = total risk

* does not imply multiplication, but a combination function

Question 28

• Assigns real dollar figures to the loss of an asset

- i.e. Calculating ALE

Answer 28

Quantitative Risk Analysis

Question 29

• Assigns subjective and intangible values to the loss of an asset
• i.e. The risk analysis matrix

Answer 29

Qualitative Risk Analysis

Question 30

Combines quantitative risk analysis for risks that can be expressed in numbers i.e. money and qualitative analysis for the remainder.

Answer 30

Hybrid Risk Analysis

Question 31

What are the 6 steps of the risk management framework?

Answer 31

1. Categorize
2. Select
3. Implement
4. Assess
5. Authorize
6. Monitor

Question 32

Cost/benefit calculation (analysis)

Answer 32

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company

Question 33

• The risk that management has chosen to accept rather than mitigate
• Difference between Total risk and Controls gap

Answer 33

Residual Risk

Question 34

• The amount of risk that is reduced by implementing safeguards
• Difference between Total risk and Residual risk

Answer 34

Controls Gap