Flashcards in Section 4: Security of Networks, Systems, Application and Data Deck (17):
Risk is the possibility of loss of a digital (a) ___ resulting from a (b) ___ exploiting a (c) ___.
The process of doing an analysis of the risk attributes (i.e. asset, exploit, vulnerability) to determine an organization's particular risk.
What are the three most common inputs of a cyberrisk assessment?
1. Asset identification
2. Threat assessment
3. Vulnerability assessment
Select all that apply. Information used to estimate impact and likelihood usually comes from:
a. Past experience or data and records
b. Reliable practices, international standards or guidelines
c. Market research and analysis
d. Experiments and prototypes
e. Recent management analysis
f. Economic, engineering or other models
g. Specialist and expert advice
h. Industry report
1. Past experience or data and records
2. Reliable practices, international standards or guidelines
3. Market research and analysis
4. Experiments and prototypes
5. Economic, engineering or other models
6. Specialist and expert advice
What are the three types of risk assessment orientations?
1. Asset orientation
- Important assets are defined first, and then potential threats to those assets are analyzed. Vulnerabilities are identified that may be exploited to access the asset.
2. Threat orientation
- Potential threats are determined first, and then threat scenarios are developed. Based on the scenarios, vulnerabilities and assets of interest to the adversary are determined in relation to the threat.
- Vulnerabilities and deficiencies are identified first, then the exposed assets, and then the threat events that could be taken advantage of are determined.
What are the types of risk response strategy?
1. Risk reduction
2. Risk avoidance
3. Risk transfer or sharing
4. Risk acceptance
Type of risk response strategy where the implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization's risk tolerance
Type of risk response strategy through non-participation in an activity or business
An example of this risk response strategy is purchase of insurance or availment of a third-party's services
Risk transfer or sharing
Type of risk response strategy where the organization assumes the risk and absorbs the loss
True or False: The results of risk assessments need to be evaluated in terms of the organization's mission, risk tolerance, budgets and other resources, and cost of asset allocation.
False: The results of risk assessments need to be evaluated in terms of the organization's mission, risk tolerance, budgets and other resources, and cost of MITIGATION.
True or False: Risk assessment results can be used to communicate the risk decisions and expectations of management throughout the organization through policies and procedures.
Two most common techniques of identifying vulnerabilities:
1. Vulnerability scaning
2. Penetration testing
The process of using proprietary or open source tools to search for known vulnerabilities
An exploitable weakness that results in a loss
The method used to take advantage of a vulnerability