Risk Assessment Flashcards Preview

Information Security > Risk Assessment > Flashcards

Flashcards in Risk Assessment Deck (21)
Loading flashcards...
1
Q

What does risk assessment help us understand?

A
  • What is at risk? (Identifying assets)
  • How much is at risk? (Identifying values)
  • Where does the risk come from? (Identifying threats and vulnerabilities)
  • How can the risk be reduced? (Identifying countermeasures)
  • Is it cost effective? (Risk can never be completely eliminated)
2
Q

What does Single Loss Expectancy (SLE) measure?

A

the expected impact (in monetary terms) of a certain threat occurring

SLE = Asset Value (AV) × Exposure Factor (EF)

3
Q

What does the Annualized Rate of Occurrence (ARO) represent?

A

the expected frequency of a threat occurring per year

4
Q

How does one calculate the Annualized Loss Expectancy (ALE)?

A

ALE = SLE × ARO

5
Q

What 4 areas are typically involved in the risk analysis of information systems?

A
  • Value of the information/system assets
  • Possible threats to information/systems
  • Vulnerabilities of information/systems
  • Cost of countermeasures
6
Q

On which three variabled does Risk depend?

A

Risk is a function of threats, vulnerabilities, and assets

7
Q

What two basic different kinds of assets exist?

A
Tangible assets (hardware, buildings, etc.)
Intangible assets (software, information)
8
Q

What is the Delphi Method?

A

way to put a value on information assets by asking knowledgeable staff in a systematic way

9
Q

How does the Delphi Method work? Name the four basic steps.

A
  • Experts (i.e. knowledgeable staff) give answers to questionnaires for several rounds
  • After each round a facilitator summarizes answers (and reasoning) given by experts
  • This summary is given to the experts (usually done anonymously)
  • New round is started in which experts may revise their answers
10
Q

What are the two basic types of threads?

A

Accidental

Intentional

11
Q

What are two basic approaches of information asset valuation?

A
  • Cost approach: try to put a fair market value on the information assets
  • Income approach: try to determine income stream generated by products/services associated with information assets
12
Q

What is threat analysis?

A

During threat analysis, analyst must decide which threats to consider

13
Q

What is vulnerability analysis?

A

vulnerability analysis is about identifying vulnerabilities that can be exploited

Vulnerabilities allow threats to occur (more often) or have a greater impact

14
Q

What is the aim of risk modelling?

A

giving well-informed answers to the following questions:

  • What could happen? (threats/vulnerabilities)
  • How bad would it be? (impact)
  • How often might it occur? (frequency/probability)
  • How certain are answers to the question above? (uncertainty)
15
Q

What is quantitative risk assessment?

A

Trying to put a number on everything is called quantitative risk assessment
Computing the ALE is a classic form of quantitative risk assessment

16
Q

What are the prerequisites of quantitative risk assessment?

A
  • Reliable data has to be available
  • Appropriate tools are available
  • The person doing the assessment knows what they are doing (and is trustworthy)

If this is not the case, quantitative assessment can lead to a false sense of security!

17
Q

What is qualitative risk assessment?

A
  • An alternative to quantitative assessment
  • Rather than using concrete numbers, ranking is used, e.g. describing a threat level as high, medium, or low
  • Asset values may also be described in a similar way, e.g. high, medium, or low importance
18
Q

What is CRAMM?

A

a risk assessment tool
If you’re selling to the UK government, chances are high that you have to use this method/tool
CRAMM uses a risk matrix

19
Q

What is the Flaw Hypothesis Methodology?

A

A framework for conducting penetration studies

20
Q

What are penetration studies?

A

the test of an organisation’s countermeasures to risk

21
Q

What are the 5 steps involved in the Flaw Hypothesis Methodology?

A

1 Information gathering: testers try to become as familiar with system as possible (in their role as external or internal attackers)
2 Flaw hypothesis: drawing on knowledge from step 1 and known vulnerabilities, testers hypothesize flaws
3 Flaw testing: tester try to exploit possible flaws identified in step 2
If flaw does not exist, go back to step 2 If flaw exists, to to next step
4 Flaw generalization: testers try to find other similar flaws, iterate test again (starting with step 2)
5 Flaw elimination: testers suggest ways of eliminating flaw