5.2

Question 1

A type of risk assessment that occurs before a particular project starts, to help better understand the risks of that project.

Answer 1

One-time

Question 2

A type of risk assessment that occurs every time the change control process is implemented.

Answer 2

Continuous

Question 3

A type of risk assessment that occurs for one specific purpose. The scope of this type of assessment is very narrow.

Ex. A specific new attack type

This type of assessment proceeds by creating a committee to perform a risk assessment of that one specific thing. After that, the committee is disbanded.

Answer 3

Ad hoc

Question 4

A type of risk assessment that is performed in a specified schedule. This assessment is done internally, without the need of a third-party.

This assessment might also be mandated by governmental regulations to ensure compliance.

Answer 4

Recurring

Question 5

A type of risk assessment that uncovers underlying reasons and context of each risk, including ARO, impact, cost of controls, and overall risk value.

Answer 5

Qualitative

Question 6

A type of risk assessment that measures and quantifies specific variables, such as AV, EF, and SLE, ALE, and ARO.

Answer 6

Quantitative

Question 7

SLE stands for

Answer 7

Single Loss Expectancy

Question 8

AV stands for
(not antivirus)

Answer 8

Asset Value

Question 9

ALE stands for

Answer 9

Annualized Loss Expectancy

Question 10

EF stands for

Answer 10

Exposure Factor

Question 11

The value of the asset to the organization

Includes cost, effect on company operations, potential regulatory fines, etc.

Answer 11

AV

Question 12

The percentage of the value lost due to an incident

Losing a quarter of the value is 0.25, losing the entire asset is 1.0, etc.

Answer 12

EF

Question 13

How likely a threat is to occur in a year

Answer 13

ARO

Question 14

The monetary loss if a single event occurs

Answer 14

SLE

Question 15

The monetary loss to incidents within a year

ARO x SLE

Answer 15

ALE

Question 16

5 types of impact you should consider during risk assessment

Answer 16

Life
Property
Safety
Finance
Reputation

Question 17

Difference between risk likelihood and risk probability

Answer 17

Risk likelihood is a qualitative measurement of risk. “Rare, possible, almost certain,” etc.

Risk probability is a quantitative measurement of risk. It is statistical and can be based on historical performance.

Question 18

A broad description of risk-taking deemed acceptable.

The amount of accepted risk before taking any action to reduce that risk.

Answer 18

Risk appetite

Question 19

Difference between risk appetite and risk tolerance

Answer 19

Risk appetite is a broad-sweeping description.
For example, the govt puts up speed limits and you are not, under any circumstances, allow to go above that limit.

Risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
For example, most police officers only give you a speeding ticket if you go 5+ miles over the speed limit.
Or, if there is bad weather, you might be expected to drive a lot slower than the speed limit.
Or if you’re having a medical emergency, police officers might even escort you at higher speeds to the hospital.

Question 20

A detailed list of risks associated with implementing a project

May provide options or solutions to avoid or mitigate those risks. Includes key risk indicators, risk severity, and risk owners.

Answer 20

Risk register

Question 21

Metrics that predict potential risks that can negatively impact business.
Ex. Turnover rate, employee satisfaction, number of applicants per job, etc.

Typically appear in a risk register as the risk description.
Ex. “Project design and deliverable definition is incomplete.”

Answer 21

Key risk indicators

Question 22

The person listed on a risk register who is responsible for managing a particular risk

Answer 22

Risk owner

Question 23

A measure of the level of risk exposure above which action must be taken to address risks proactively, and below which risks may be accepted.

In other words, it helps to determine whether taking action against the risk is worth it. Will mitigating the risk be more costly than just accepting it?

Answer 23

Risk threshold

Question 24

A risk management strategy where you move the risk to a third party

Ex. a cybersecurity insurance company

Answer 24

Transferrence

Question 25

A risk management strategy where you do nothing to mitigate or avoid the risk

Answer 25

Acceptance

Question 26

A risk management strategy where you accept the risk with approval to not follow certain policies or regulations at all.

Ex. A third-party supplier says that they do not provide or support patches to their firmware.

Answer 26

Acceptance with exemption

Question 27

A risk management strategy where you accept the risk, and also allow a one-time instance of not following policies or regulations.

Ex. The policy is to have vulnerabilities patched within 3 days of vulnerability discovery. But this specific patch causes critical software failures, so you don’t enforce the rule this time.

Answer 27

Acceptance with exception

Question 28

A risk management strategy where you stop participating in the risky activity.

Answer 28

Avoidance

Question 29

A risk management strategy where you decrease the risk level.

Answer 29

Mitigation

Question 30

A formal list of all risks that a company is tracking as well as their descriptions and how to handle them.

Commonly referenced by upper management.

Answer 30

Risk report

Question 31

Difference between risk report and risk register

Answer 31

Risk report is all the risks that an organization is tracking.

Risk register tracks only the risks for a specific project.

Question 32

RTO stands for

Answer 32

Recovery Time Objective

Question 33

RPO stands for

Answer 33

Recovery Point Objective

Question 34

MTTR stands for

Answer 34

Mean Time To Repair

Question 35

MTBF stands for

Answer 35

Mean Time Between Failures

Question 36

The maximum acceptable amount of time for restoring a network or application and regaining access to data after an unplanned disruption.

Answer 36

RTO

Question 37

The measurement of how much data - measured in time - that a company MUST have in order to be considered up and running after an incident has occurred.

Ex. The database must have at least the last 12 months of data to be considered fully functional.

It defines how much data loss is acceptable.

Answer 37

RPO

Question 38

The average amount of time it takes to resolve a problem.

Includes diagnosing the problem, replacing equipment, and configuring new equipment.

Answer 38

MTTR

Question 39

The average amount of time between repairable outages.

Can be calculated as total uptime divided by number of breakdowns, or be based upon historical data.

Answer 39

MTBF