Flashcards in Domain 1: Security and Risk Management; Risk Analysis Deck (47):
Why is Risk Analysis a critical skill?
Our risk decisions will dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions will result in wasted money, or even worse, compromised data.
What are assets?
Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth. The value and criticality of the asset will dictate what safeguards you deploy. People are your most valuable asset.
What is a threat?
A threat is a potentially harmful occurence. A threat is a negative action that may harm a system.
What is a vulnerability?
A vulnerability is a weakness that allows a threat to cause harm. Examples: Buildings that are not built to withstand earthquakes, a data center without proper backup power, Microsoft XP systems that haven't been patched for years.
What is an attack vector?
A condition that makes a system vulnerable.
How do you calculate risk?
Risk = Threat x vulnerability.
What is impact?
Impact is the severity of the damage, sometimes expressed in dollars. Risk = Threat x Vulnerability x Cost. A synonym for impact is consequences.
On a scale of 1 to 5, what is the impact value of loss of human life?
Loss of human life has near-infinite impact on the exam. Any risk involving loss of human life is extremely high and must be mitigated.
True or false? When assigning a number to threats and vulnerabilities, the range is arbitrary. Keep it consistent when comparing different risk.
What is the Risk Analysis Matrix?
The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have. The resulting scores are low, medium, high, and extremely high.
What is the goal of the Risk Analysis Matrix?
To identify high likelihood/high consequence risks and drive them down to low likelihood/low consequence risks.
How are risks handled?
Low risks are handled via normal process; moderate risk require management notification; high risks require senior management notification, and extreme risks require immediate action including a detailed mitigation plan (and senior management notification).
What is ALE?
Annualized Loss Expectancy. Allows you to determine the annual cost of a loss due to a risk. ALE allows you to make informed decisions to mitigate risk.
What is AV?
Asset Value. The value of the asset you're trying to protect.
What is the true Asset Value of a laptop with PII?
The cost of the laptop plus the cost to the company from the theft of unencrypted PII.
What is the cost to the company for theft of unencrypted PII?
Regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc.
What are tangible assets? Is it easy to calculate their value?
Examples of tangible assets are buildings and computers. They are easy to calculate.
What are intangible assets? Is it easy to calculate their value?
An example would be brand loyalty. It's challenging to calculate the value.
What are the three methods of calculating the value of intangible assets according to Deloitte?
What is Market Approach?
This approach assumes that fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar circumstances.
What is Income Approach?
This approach is based on the premise that the value of an asset is the present value of the future earning capacity that an asset will generate over its remaining useful life.
What is Cost Approach?
This approach estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset.
What is EF (Exposure Factor)?
The Exposure Factor is the percentage of value an asset lost due to an incident.
What is SLE (Single Loss Expectancy)?
Single Loss Expectancy is the cost of a single loss. SLE is calculated by AV x EF.
What is ARO (Annual Rate of Occurence)?
Annual Rate of Occurence is the number of losses you suffer per year.
What is ALE (Annualized Loss Expectancy)?
Annualized Loss Expectancy is your yearly cost due to a risk. It is calculated by multiplying the SLE with ARO.
What is TCO (Total Cost of Ownership)?
The total cost of a mitigating safeguard. TCO combines upfront costs plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc. These ongoing costs are usually considered operational expenses.
What is ROI (Return on Investment)?
The amount of money saved by implementing a safeguard. If your TCO is less than your ALE, then you have a positive ROI. If your TCO is greater than your ALE, then you have a negative ROI, which is a result or poor choices.
Why are metrics important?
Metrics can greatly assist the information security budgeting process. They help illustrate potentially costly risks, and demonstrate the effectiveness (and potential cost savings) of existing controls. They also help champion the cause of information security.
What are the four risk choices after an assessment has been made?
Accept the risk.
Mitigate or eliminate the risk.
Transfer the risk.
Avoid the risk.
When does it make sense to accept a risk?
When it's cheaper to leave an asset unprotected due to a specific risk, rather than make the effor (and spend the money) required to protect it. All options must be considered before accepting a risk.
When is accepting a risk not an option?
High and extremely high risks cannot be accepted. Data protected by laws or regulations or risk to human life or safety are cases where accepting the risk is not an option.
What is mitigating risk?
Mitigating risk is lowering risk to an acceptable level. Also called risk reduction.
What is reduction analysis?
The process of lowering risk.
What is eliminating risk?
Removing the risk entirely.
What is transfer the risk?
Using a third party to accept the risk.
What is risk avoidance?
After a risk assessment is made, if the ALE is higher than the ROI, then it's best to avoid the risk and not implement what was proposed. Exceptions to this is if there are legal or regulatory reasons that dictates this decision.
What is the difference between Quantitative and Qualitative Risk Analysis?
Quantitative uses hard metrics such as dollars. Qualitative uses simple approximate values. Quantitative is more objective. Qualitative is more subjective.
What is Hybrid Risk Analysis?
Combines quantitative and qualitative analysis. Quantitative for risks that are easily calculated in hard numbers, and qualitative for the remainder.
What is an example of Quantitative Risk Analysis?
Calculating the ALE.
What is an example of Qualitative Risk Analysis?
The Risk Analysis Matrix.
Why is Quantitative Risk Analysis more difficult to calculate?
It requires you to calculate the asset value of everything vulnerable to the risk. Damage to a data center due to an earthquake requires knowing the cost of the building, servers, network equipment, computer racks, monitors, etc. Then you have to calculate the Exposure Factor, and so on. To qualitatively analyze a risk, you would research and risk and agree to a number value (1-5) of the likelihood and consequence and use the Risk Analysis Matrix to determine the risk value.
The NIST (United States National Institute of Standards and Technology) published the Risk Management Guide for Information Technology Systems. The guide describes what 9-step Risk Analysis process?
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommmendations
9. Results Documentation
According to the Risk Management Guide for Information Technology Systems, what is System Characterization?
System characterization describes the scope of the risk management effort and the systems that will be analyzed.
According to the Risk Management Guide for Information Technology Systems, what is Control Analysis?
Analyzes the security controls (safeguards) that are in place or planned to mitigate the risk.
According to the Risk Management Guide for Information Technology Systems, what is Control Recommendations?
Risk mitigation strategy.