Chapter 2

Question 1

Risk

Answer 1

Vulnerability x Threat

Question 2

Qualitative risk analysis

Answer 2

Scenarios - 1 pagers
Delphi technique - anonymous feedback/response

Question 3

Quantitative risk analysis

Answer 3

SLE (singe loss expectancy) = AV x EF (Exposure factor)
ALE = SLE x ARO (annual rate of occurence)

Question 4

Risk appetite - total across all assets; WILLING to shoulder
Risk capacity - total that CAN be shouldered
Risk tolerance - single threat-asset
Risk limit - max tolerable over target level

Question 5

Risk responses

Answer 5

Mitigation
Assign/Transfer
Deterrence
Avoidance
Acceptance
Reject/Ignore - NO NO

Question 6

Total risk - controls gap = residual risk

Answer 6

Controls gap is amount of risk reduced by implemented security controls

Question 7

Cost/benefit analysis:

ALE1 - ALE2 - ACS = value of safeguard

Answer 7

ACS - Annual Cost of Safeguard

Question 8

Defense in depth layers of control

Answer 8

Asset
Administrative controls
Logical/technical controls
Physical controls

Question 9

Control types

Answer 9

Preventive controls
Deterrent controls
Detective controls
Corrective controls
Compensating controls
Recovery controls
Directive controls

Question 10

Risk Maturity Model (RMM)

Answer 10

Ad-hoc
Preliminary - risk mgmt process but by diff departments
Defined - Standard organization-wide
Integrated - risk mgmt integrated with business processes; metrics
Optimized - Not reactive, but strategic

Question 11

Risk mgmt framework

Answer 11

Identify
Analyze/Prioritize
Respond
Monitor

Question 12

RMF (NIST)
- For gov’t

Answer 12

Prepare
Categorize - assets and risk
Select - controls
Implement
Assess - implemented and operating correctly
Authorize
Monitor - ongoing re-assessment, change mgmt, reporting

Question 13

CSF (Cyber security framework)
[NIST]
- For critical infra and commercial orgs

Answer 13

Identify
Protect
Detect
Respond
Recover
Govern

Question 14

Social Engineering

Answer 14

Authority
Intimidation
Urgency
Scarcity
Consensus
Familiarity
Trust
Prepending - prepend with APPROVED, AUTHORIZED, RE, FWD, etc.
Phishing
Spear phishing - targeted
Whaling - high value target phishing
Smishing - SMS phishing
Vishing - phishing over VoIP

Question 15

Typo squatting

Answer 15

take advantage of mistyping in URL’s

Question 16

Gamification for security training

Question 17

Training and awareness effectiveness evaluation

Answer 17

Regular quizzes
Review event & incident logs for rate of occurrence

Question 18

Education

Answer 18

Comprehensive and more than what employee needs to know for the job

Question 19

Micro-training

Answer 19

Short, brief, focused learning modules or content

Question 20

AUP (Acceptable Use Policy)

Answer 20

• What is and is not acceptable use and behavior
• Designed to assign security roles and prescribe responsibilities for those roles

Question 21

Cybersecurity Insurance

Answer 21

Type of risk assignment / transfer

Key features:
1. Coverage of data breaches
2. Financial loss protection
3. Legal liabilities
4. Reputation mgmt
5. Business interruption
6. Ransomware protection
7. Forensic services
8. Incident response
9. Regulatory compliance cost
10. Third party liability