04. Risk Assessment Analysis

Question 1

Risk Assessment

A process intended to discover and identify threats that, if realised, could resul tin some unwanted event or incident

Answer 1

Risk Assessment

144

Question 2

Risk Assessment

2 principle portions of risk assessment

Answer 2

1. Vulnerability identification
2. Threat identification

145

Question 3

Threat Identification

Defined as an event that, if realised, would bring harm to an asset and the organisation

Answer 3

Threat

• A threat is not a vulnerability, it is the actual action that would cause harm
• A threat actor is the person carrying out the action
• A threat is not an actual weakness, this is the vulnerability

145

Question 4

Threat identification

Threats are typically classied in 3 ways

Answer 4

1. Internal or external
2. Intentional or unintentional
3. Human-made or natural

145

Question 5

Internal Threats

A wide range of events can take place that constitute internal threats

Answer 5

Well-Meaning Personnell making errors…:
1. In judgement
2. In haste
3. Because of insufficient knowledge or training

A disgruntled personnel…:
1. Being purposfully negligent
2. Bringing harm to an asset

Also..:
1. Threat actor acting on behalf of a forgien party posing as an internal employee
2. A trusted individual in a trusted third party doing any of the above

Question 6

External Threats

Threats that originate outside of the organisation can unclude both deliberate and accidental actions. Threats can be…

Answer 6

Human made or associated with naturally occurring events

148

Question 7

Advanced Persistent Threats

The advanced persistent threat…

Answer 7

1. Pursues its objectives repeatedly over an extended period of time
2. Adapts to defenders efforst to resist it
3. Is determined to maintain the levl of interaction needed to execute its objectives

149

Question 8

Emerging Threats

Emerging threats will always represents the..

Answer 8

cutting edge of attack techniques and will be difficult to detect

150

Question 9

Emerging Threats

Security managers need to understand that attack techniques will..

Answer 9

Continuously improve their ability to evade detection

150

Question 10

Risk Identification

Several considerations are applied in th identification of each risk…

Answer 10

1. Threats
2. Threat actors
3. Vulnerabilities
4. Asset Value
5. Impact

151

Question 11

Risk Identification

Impact is considered separately from…

Answer 11

Asset Value

Some threat scenarios have minimal correlation with asset value but relate instead to reputation damage

151

Question 12

Risk Likelihood and IMpact

Risk = Threats x Vulnerabilities
Risk = Threats x Vulnerabilities x Asset Value
Risk = Threats x Vulnerabilities x Probabilities

Answer 12

151

Question 13

Likelihood

Likelihood of a serious security incident has less to do with the technical details and more to do with the…

Answer 13

thought process of an adversary

152

Question 14

Likelihood

Considerations related to risk likelihood include..

Answer 14

1. Hygiene
2. Visibility
3. Velocity
4. Motivation
5. Skill

1. Organisations that do a poor job in areas such as vulnerability management or patching are likely to suffer incidents more than an organisation that does a good job
2. How visibility the organisation is within the public eye, its standing
3. Relates to timing of threat scenarios - is there any warning or foreknowledge
4. Understand the drivers that motivate an adversary to attack an organisation
5. If higher skills are required, this doesnt mean an attack is less likely, but the scope of who and why i.e. motivation, comes into play.

152

Question 15

Impact

The actual or expected result of some action, such as a threat or disaster, being realised

Answer 15

Impact

152

Question 16

Impact

If a risk manager fails to understand the impact of different scenarios, they are unable to determine..

Answer 16

the level of importance and urgency for risk mitigation from one threat to another

152

Question 17

Impact

Used to identify the most critical business processes, together with their supporting IT systems and dependencies

Answer 17

Business Impact Analysis
(BIA)

153

Question 18

Impact

The value that a BIA brings to a risk assessment is the understanding of…

Answer 18

which business processes and IT systems are the most important to the organisation

153

Question 19

Gathering information

A security manager needs to gather information to ensure that the risk analysis/assessment are valuable and complete. Sources include…

Answer 19

Interviews with:
1. Process owners
2. Application developers
3. Security personnel
4. Security experts

As well as..
1. Analysis of incidents from other organisations
2. Prior risk assessments

154

Question 20

Qualitative Risk Analysis

The process to understand each risk relative to other risks so that higher risks can be distinguished from lower risks - achieved by way of example of assigning levels such as high, medium, or low

Answer 20

Qualitative Risk Analysis

The process of applying simple qualities to the risk i.e. its high or medium or low

154

Question 21

Semiquantitative Risk Analysis

A process by which a simple value, by way of example, can be applied to a risk by multiplying the impact by probability

Answer 21

Semi-quantitative Analysis

• This does not calculate financial values but takes the simple qualtitative metrics and uses them to provide some form of quantitative analysis
• Where a score is higher, this does not mean it is more likely to happen, it is just a value that should reflect something as potentially being a higher priority as the risk is larger than the other

154

Question 22

Quantitiative Risk Analysis

A process in which risk managers attempt to determine teh actual costs and probabilities of events

Answer 22

Quantitative Risk Analysis

Question 23

Quantitiative Risk Analysis

2 aspects of quantitative risk analysis that provide to be a challenge

Answer 23

1. Event probability
2. Event cost

1. Some factors of probability factors are hard to quantify
2. Incidents can be complex and is therefore hard to put any exact cost on a given scenario

155

Question 24

Quantitiative Risk Analysis

Standard quantitative risk analysis involves the development of several figures

Answer 24

Asset Value (AV)
Typically the assets replacement value
Exposure Factor (EF)
Financial loss that results from the realisation of a threat expressed as a percentage of the assets total value
Single Loss Expectancy (SLE)
The financial loss when a threat scenario occurs one time
SLE = AV x EF
Annualised Rate of Occurrence (ARO)
Estimate of the number of times that a threat will occur per year
1 change in 50 years = 1/50 = 0.02%
Annualised Loss Expectancy (ALE)
Expected annualised loss of asset value due to threat realisation
ALE = SLE x ARO

155

Question 25

Quantitiative Risk Analysis

Sources of infomration that may be used for calculating estimates for an ARO

Answer 25

1. History of event losses in the organisation
2. History of similar losses in other organisations
3. History of dissimilar losses
4. Best estimates based on available data

156

Question 26

OCTAVE

OCTAVE

Answer 26

Operationally Critical Threat, Asset, and Vulnerability Evaluation

156

Question 27

OCTAVE

OCTAVE Allegro methodology uses 8 steps

Answer 27

Step 1: Establish risk measurement criteria
Step 2: Develop an information asset profile
Step 3: Identify information asset containers
Step 4: Identify areas of concern
Step 5: Identify threat scenarios
Step 6: Identify risks
Step 7: Analyse risks
Step 8: Select mitigation approach

1. Organisation identifies the most important impact areas i.e. reputation/customer confidence, financial, productivity etc..
2. Organisation identifies in-scope information assets and develops profiles
3. Organisation identifies all internal and external information systems
4. Identifies threats that could cause harm - brainstorming activities
5. Threat tree may be developed to expand on step 4
6. Consequences of each threat identified
7. Simple quantitative measurements used
8. Risks with higher scores analysed to determine risk mitigation/reduction methods

156

Question 28

Bow-Tie Analysis

A risk analysis method that uses diagrams to analys and explain relationship between risk elements and events to impacts

Answer 28

Bow-Tie Analysis

Bow-Tie Analysis

Question 29

Risk Analysis Methodologies

5 other more complex methods of risk analysis

Answer 29

Delphi Method
* Questionnairs 1-2 rounds
* Experts converge on most important risks and mitigation strategies

Bayesian Analysis
* Uses data distribution and statistical inference to determine risk proability

Fault Tree Analysis (FTA)
* Diagram all consequences for a given event scenario
* Starts with one scenario, forwards in time with all possible consequences considered

Event Tree Analysis (ETA)
* A logic modeling technique
* Analyses success and failure outcomes of a given event scenario

Monte Carlo Analysis
* Simulation based, computational algorithms

157

Question 30

Risk Ownership

Organisations need to assign individual risks to individual people. Typically, this would be…

Answer 30

Middle to Upper Management Business Leaders

These leaders should have ownership of controls, budget, staff within their domain of business operations

158

Question 31

Controls

Measures put in place to ensure a desired outcome and a commong outcome of risk treatment measures

Answer 31

Controls

159

Question 32

Risk Register

A risk register serves as the focal point of evidence that an organisation is attempting to manage risk and can be stored in…

Answer 32

1. Spreadsheet
2. Database
3. Governance Risk Compliance (GRC) tool

159

Question 33

Risk Register

Potential sources of information that could lead to the creation of a risk register entry

Answer 33

1. Risk assessment
2. Vulnerability assessment
3. Internal audit
4. Security incident
5. Threat intelligence
6. Industry developement
7. New laws and regulations
8. Consultants

161

Question 34

Strategic vs Tactical Risks

Strategic risks belong in a risk register
Tactical risks do not typically reside in a risk register

Answer 34

Strategic risk
* Vulnerability scans identifying a common pattern indicating a systemic problem in the business in relation to attitudes of patch management
* This would belong in the risk register

Tactical Risk
* The hundreds of thousands of entries identified within regular vulnerability scanning
* These would not belong in the risk register

161

Question 35

Integration of Risk Management

Risk should be integrated into serveral other IT and business processes within the organisation

Answer 35

1. Architecture
2. Software Development
3. Change Management
4. Configuration Management
5. Incident and Problem Management
6. Physical Security
7. Information risk and enterprise risk management
8. Human resource management
9. Project Management

163

Question 36

Integration of Risk Management

Organisations need to introduce several security related steps into their software development process

Answer 36

1. Threat modeling
2. Coding standards
3. Code reviews
4. Code scanning
5. Application scanning
6. Application penetration testing

1. Anticipate potential threats. Incorporate design features to block them
2. Specify allowed and disallowed coding techniques
3. Peer review
4. Integrated Development Environment
5. Scan web applications to discover exploits
6. Performed by internal or exteral appropriately skilled testers

164

Question 37

Change Management

An IT function used to control changes made within the environment

Answer 37

Change Management

164

Question 38

Change Management

The purpose of change management is to…

Answer 38

reduce the likelihood changes will introduce unexpected risk

164

Question 39

Configuration Management

The IT function by which the configuration of components in an IT environment are recorded

Answer 39

Configuration Management

165

Question 39

Configuration Management

A repository of configuration changes within the organisation

Answer 39

Configuration Management Database
(CMDB)

165

Question 39

Incident and Problem Management

4 security and risk related principles and considerations in incident management

Answer 39

1. Security or Risk component associated with an incident
2. Security or Risk implication associated with actions to restore service
3. Security or Risk implications associated with root cause analysis
4. Security or Risk implications associated with correction action

166

Question 40

Configuration Management

Where configuration of a component or system slowly diverges from its intiial or intended state - often occuring in organisations that lack automation

Answer 40

Configuration Drift

165

Question 40

Human Resource Management

There are several practices in HR that contribute to the support of information protection

Answer 40

1. Background checks
2. Legal agreements
3. Training
4. Development and Management of roles
5. Management of the human resources information systems (HRIS)

1. Background checks on an employee before hiring them, checking credibility
2. Directing employees to agree to and sign legal documents that protect the business i.e. NDA or user agreement policy
3. Delivering training to workers, including security awareness training
4. Incorporating security related responsibilities into job descriptions
5. Integration of HRIS with IAM services to ensure access management information is kept up to date i.e. when a user leaves, immediately being able to revoke access across the estate.

Question 41

Information Risk and ERM

Organisations with an ERM and Information Risk function may choose to merge them together. Organisations that blend these risks together in a register have a more…

Answer 41

complete view of all business risks

168