Week 4

Question 1

What is the formula for risk in Information Security?

Answer 1

Risk = Likelihood x Impact

Question 2

What three elements does component-driven risk assessment evaluate?

Answer 2

Threat, Vulnerability, Impact

Question 3

Give examples of threats in risk analysis

Answer 3

Lone hacker, state-sponsored group, staff error, severe weather

Question 4

Name three risk assessment methods/frameworks

Answer 4

NIST 800-30, ISO/IEC 27005, ISACA COBIT

Question 5

Name two information security management frameworks

Answer 5

NIST Cybersecurity Framework, ISO/IEC 27000 series

Question 6

What are the four risk control strategies?

Answer 6

Avoid, Accept, Reduce, Transfer

Question 7

What are the steps of the ISO/IEC 27005:2011 risk assessment process?

Answer 7

Identify (assets, threats, controls, vulnerabilities, consequences); Analyse (consequences, likelihood); Treat (modify, retain, avoid, share); Monitor

Question 8

What is qualitative risk analysis?

Answer 8

Uses descriptive scales (e.g. VL, L, M, H, VH) for likelihood and impact

Question 9

What is a major advantage and disadvantage of qualitative risk analysis?

Answer 9

Advantage: Easy to understand;
Disadvantage: Subjectivity in scale

Question 10

What is quantitative risk analysis?

Answer 10

Uses numerical data to measure impact and likelihood

Question 11

What are pros and cons of quantitative risk analysis?

Answer 11

Pros: Data-driven, directly related to objectives;
Cons: Data gaps, overconfidence in results

Question 12

What does ALE stand for and how is it calculated?

Answer 12

Annualized Loss Expectancy = SLE x ARO

Question 13

Define SLE and ARO in risk analysis

Answer 13

SLE: Single Loss Expectancy
ARO: Annualized Rate of Occurrence

Question 14

What is the Cost Benefit Analysis (CBA) formula in security?

Answer 14

CBA = ALE(prior) - (ALE(post) + ACS)

Question 15

What is ACS in cost-benefit analysis?

Answer 15

Annualized Cost of Safeguard

Question 16

What are the four risk treatment options?

Answer 16

Retain (Accept), Avoid (Terminate), Share (Transfer), Modify (Reduce)

Question 17

Why is risk management a continual process?

Answer 17

Because threats, vulnerabilities and impacts evolve over time

Question 18

What are some limitations of current risk frameworks?

Answer 18

Over-reliance on on reductionist views, static models, subjectivity, noise, and data bias

Question 19

What is a ‘simple risk matrix’ used for?

Answer 19

Visual tool for evaluating everyday risks using likelihood and impact

Question 20

What does the critical appraisal by NCSC suggest about frameworks?

Answer 20

Effectiveness depends on thoughtful application, not just the method itself.