(1)Identify Vulnerabilities Flashcards
After threat identification, what do organizations focus on next?
Organizations turn their attention towards identifying the outside factors that could hurt the org’s security systems.
After threats and vulnerabilities are identified, what does an org do next?
An org then needs to figure out the likelihood, impact, and risk that present a danger to confidentiality, integrity, and availability of their systems.
This involves checking out the likelihood and the impact that a risk will pose to the org if it happens.
When factoring in the likelihood of a particular risk and its occurrence, what two things do they need to assess?
When factoring in the likelihood of a particular risk and its occurrence, the two things that need to be assessed are:
- The likelihood that a threat will act on the risk
- If a risk happens, will a bad effect actually happen to the company, considering what security controls are in place?
After an analyst considers various risk criteria, what are the three possible ratings that an analyst may apply to the likelihood?
The possible ratings could include “low,” “medium,” and “high,” at least in a qualitative sense.
What rating scale could assessors use when it comes to qualitatively reviewing the potential impact of a risk?
What should this review assume about a threat if it happens?
An analyst could use a low, medium, and high scale.
The review should assume that the threat will happen and creates a risk to the company. They should then try to figure out how bad the effect to the org is.
After an org takes a look at the likelihood and impact of a risk, what do risk analysts do?
After likelihood and impact is considered, risk assessors put the two reviews together to figure out the risk rating overall.
What type of visual tool might risk analysts use to demonstrate likelihood and impact risk ratings?
Organizations often use a risk matrices where one axis is the likelihood and the other is the impact
