Lesson 5

Question 1

The chance of a negative event

Answer 1

Risk

Question 2

A chance that something unexpected will happen

Answer 2

Risk

Question 3

It is the combination of threats and vulnerabilities

Answer 3

Risk = Threats x Vulnerabilities

Question 4

This definition leaves the possibility open that risks can produce positive outcomes. This is no doubt based on the philosophy that problems represent opportunities

Answer 4

Risk, ISO 31000

Question 5

Something bad that might happen

Answer 5

Threat

Question 6

From a security perspective the first threat that pops to mind is ?

Answer 6

Security Attack

Question 7

What is the range of a threat?

Answer 7

It can range from human errors to natural disasters

Question 8

What are the 6 categories of threats?

Answer 8

• Acts of human error
• Compromises of Intellectual Property
• Deliberate acts of espionage/trespass
• Deliberate acts of information extortion
• Deliberate acts of sabotage/vandalism
• Deliberate acts of theft

Question 9

Who said that ‘Vulnerability is the birthplace of innovation, creativity and change’

Answer 9

Brene Brown

Question 10

What is common definition of vulnerability?

Answer 10

“weakness” or “inability to cope”

Question 11

A better definition for vulnerability

Answer 11

“exposure”

Question 12

Example of a vulnerability?

Answer 12

Connecting a system to the Internet can represent a vulnerability
* It exposes a system to a DDoS (Distributed Denial of Service) attack
* But connecting a system to customers via the Internet isn’t likely to be considered a weakness from a business perspective

Question 13

IS RISK GOOD OR BAD?

Answer 13

• IT security professionals tend to think of risk as bad. It is the chance a threat will exploit vulnerabilities or the
  “chance that something bad will happen”
• Risk management professionals treat risks as potentially positive

Question 14

the process of identifying, analyzing and responding to risk factors
throughout the life of a project and in the best interests of its objectives

Answer 14

Risk Management

Question 15

implies control of possible future events

Answer 15

Proper risk management

Question 16

Is risk management proactive or reactive?

Answer 16

proactive

Question 17

Project team reacts to risks when
they occur

Answer 17

Reactive Risk Management

Question 18

plan for additional resources in anticipation of fire
fighting

Answer 18

Reactive Risk Management, Mitigation

Question 19

resources are found and applied when the risk strikes

Answer 19

Reactive Risk Management, Fix on Failure

Question 20

failure does not respond to applied resources and project is in jeopardy

Answer 20

Reactive Risk Management, Crisis Management

Question 21

Formal risk analysis is performed

Answer 21

Proactive Risk Management

Question 22

Organization corrects the root
causes of the risk

Answer 22

Proactive Risk Management

Question 23

What are the 7 steps to risk management?

Answer 23

1. Identification
2. Analysis
3. Probability and Impact
4. Risk Treatment
5. Residual Risk
6. Risk Control
7. Monitor and Review

Question 24

Giving all stakeholders an opportunity to identify risks

Answer 24

Identification

Question 25

This can increase acceptance of a program or project as everyone is given a chance to document all the things that might go wrong

Answer 25

Identification

Question 26

The diverse perspectives of stakeholders helps to develop a comprehensive list of risks

Answer 26

Identification

Question 27

It is also possible to use databases of issues with that occurred with similar business processes, programs or projects in your industry

Answer 27

Identification

Question 28

Knowledge sources such as lessons-learned and the risk registers of historical projects can also be used

Answer 28

Identification

Question 29

Developing context information for each risk such as moment of risk

Answer 29

Analysis

Question 30

Assessing the probability and impact of each risk

Answer 30

Probability and Impact

Question 31

These can be single estimates such as high, medium and low

Answer 31

Probability and Impact

Question 32

Alternatively, they can be a probability distribution that model multiple costs and associated probabilities for each risk

Answer 32

Probability and Impact

Question 33

Planning a treatment for each risk such as acceptance, mitigation, transfer, sharing or avoidance

Answer 33

Risk Treatment

Question 34

Risks that are both low impact and low probability typically aren't treated

Answer 34

Risk Treatment

Question 35

Assess residual risk including secondary risks that result from risk mitigation, transfer or sharing

Answer 35

Residual Risk

Question 36

Implement identified controls for risk mitigation, sharing, avoidance and transfer

Answer 36

Risk Control

Question 37

Continuously identify new risks as things progress, monitor implementation of controls and communicate risk to stakeholders

Answer 37

Monitor and Review

Question 38

used when the team wants to ensure that the risk opportunity is realized and any uncertainty is removed

Answer 38

Risk Exploitation

Question 39

used to increase the probability or impact of a positive risk occurring. The strategy requires identifying and maximizing the key drivers

Answer 39

Risk enhancement

Question 40

involves allocating some or all of the ownership of the risk and opportunity to a 3rdparty who has the best chance of meeting the objective.

Answer 40

Sharing a positive risk

Question 41

means you intend to take advantage of the opportunity if it becomes available, but not actively pursuing it

Answer 41

Accepting a positive risk

Question 42

a strategy where the project team takes action to remove the threat of the risk or protect from the impact

Answer 42

Risk Avoidance

Question 43

involves shifting or transferring the risk threat and impact to a 3rdparty. This does not eliminate the risk, rather transfers the responsibility and ownership.

Answer 43

Risk Transference

Question 44

the strategy whereby the project team takes action to reduce the probability of the risk occurring. This does not remove the risk or the potential impact, but rather reduces the likelihood of it becoming real

Answer 44

Risk Mitigation

Question 45

means the team acknowledges the risk and its potential impact, but decides not to take any preemptive action to prevent it. It is dealt with only if it occurs.

Answer 45

Risk Acceptance

Question 46

A project management activity that involves identifying, assessing, measuring, documenting, communicating, avoiding, mitigating, transferring, accepting, controlling and managing risk

Answer 46

Project Risk Management

Question 47

The process of identifying risks is intuitive for experienced project managers

Answer 47

Project Risk Managment