5.3 Flashcards
Risk management
is the continuous process of
handling risks to organizational operations,
including mission-critical services and functions, physical and logical assets, and people
The results of this risk management might be
- Establishing the context for risk-related activities
- Conducting an asset and risk assessment
- Implementing a risk mitigation strategy based on established
risk treatment - Employing techniques and procedures for the continuous
monitoring of the security state of information systems
Inherent (total) risk:
- The vulnerabilities and risks that the organization
faces before safeguards are implemented - The present baseline or system/application state
before a formal assessment begins
Residual risk:
The vulnerability or risk that remains after the
mitigating controls are introduced
*Residual = inherent risk − safeguards (controls)
5 key elements of risk analysis are:
- Assets or an asset class
- Incident or scenario
- Timeframe (fiscal/calendar year)
- Impact (magnitude)
- Likelihood (probability)
qualitative risk analysis
most common method used in risk and security
Descriptive approach using subjective opinions, history, and scenarios to determine risk levels
things to determines risk levels:
- Expert judgement
- Best practices
- Experience
- Intuition
examples of qualitative risk analysis
s interviews, questionnaires, surveys
(Delphi), and conducting brainstorming sessions and workshops addressing assets, known risks, known
vulnerabilities, common threats, and historical
impacts
Quantitative risk analysis
a scientific/mathematical approach to getting
monetary and numeric results
Quantitative risk analysis is based on:
- Asset values (cost and depreciated)
- Impact (magnitude) or severity of the incident
- Probability (likelihood) of occurrence
- Threat frequency
- Costs and effectiveness of safeguards
Quantitative risk analysis resulting probabilities are based on:
percentages, mathematical formulas, and calibrated
estimation
- AV (asset value)
Value of the asset according to the organization
EF (exposure factor):
Percentage of asset loss caused by identified
threat
- SLE (single loss expectancy)
- Potential loss if attack occurs
- (Asset value * exposure factor)
ARO (annualized rate of occurrence)
- Estimated frequency the threat will occur within a single year
quantitative formula
ALE (annualized loss expectancy) = (SLE * ARO)
risk appetite (treatment)
Any combination of treatments
can be used with risk
management
**Analysts must also consider any
exemptions or exceptions for
certain privileged users, air gapped systems, or special use case applications
Risk acceptance:
- Do not implement any additional safeguards
- Justification in writing is often required
- This can also be the process of “ignoring” the risk
Risk acceptance examples:
- Only having one supplier or vendor for hardware or
services relying on their uptime reputation - Leasing a facility in a 100-year flood zone
- Deciding not to add a cyber security rider to your existing business insurance policy
- Continuing with a Wi-Fi Protected Access (WPA2)-
secured wireless local-area network (WLAN)
Risk transference (risk sharing)
Passing off risk to a third party or shared party
Risk transference examples:
- Purchasing an insurance policy or additional cyber
insurance - Leveraging a shared responsibility model (SRM) with a cloud service provider (IaaS)
- Leasing a warm/cold disaster recovery facility with another similar business that is several miles away
using a reciprocal agreement
Risk avoidance
involves deciding not to undertake
actions or engage in activities that introduce or increase risk
**Being too risk-averse can lead to missing out on opportunity or advantages
Risk avoidance examples:
- Not processing and storing credit card information of
customers on-premises - Not using a cloud service provider for DevOps or
managed data services - Avoiding the use of any clear-text protocols, such as
HTTP, Lightweight Directory Access Protocol (LDAP),
File Transfer Protocol (FTP), Simple Mail Transfer
Protocol (SMTP), or telnet - Not storing sensitive data in a personal cloud service,
such as Dropbox or Google Drive
Risk Mitigation
involves the strategic and tactical use of
an array of technical, administrative, and physical controls to reduce risk to an acceptable level