1
Q
What are the steps of Defensive Programming?
A
- Identify: capture likelihood and impact
- Analyze: assess using risk score
- Treat: Choose to remove, control, anticipate, accept, or transfer risk
- Design Defensively
- Evaluation: Re-assess risks again
2
Q
Why are Metrics Important in Risk Assessment?
A
They turn claims into evidence
3
Q
How Does One Control the Impact of a Risk?
A
Impact only drops if the control limits the consequences when failure occurs
4
Q
How are Risks Primarily Affected in Risk Management?
A
The likelihood is always affected but the damage is usually the same
5
Q
What are the Risk Levels in Risk Assessments?
A
- High: 15-25
- Medium: 7-14
- Low: 1-6
6
Q
What are the Risk Treatment Options?
A
- Avoid/Eliminate: remove risk
- Control/Reduce/Mitigate: control likelihood
- Detect/Respond/Recover: anticipate risk
- Transfer/Share: pass risk
- Assume/Accept/Retain: acknowledge and accept risk
7
Q
What is the Preferred Treatment for High Risk Threats?
A
- Avoid/Eliminate, Mitigate/Control
- Add a Detect/Recover if severe impact
8
Q
What is the Preferred Treatment for Medium Risk Threats?
A
Control/Mitigate, Detect/Recover
9
Q
What is the Preferred Treatment for Low Risk Threats?
A
Accept/Transfer with monitoring
10
Q
Why Would an Organization Assume/Accept/Retain a Risk?
A
- The impact is low
- The cost of mitigation is higher than the risk itself
Engineering Secure Software
flashcards
Decks in class (11)
# Cards
