5.3 Explain risk management processes and concepts. Flashcards
Threat
Anything that can harm your resources or could potentially result in a security violation.
Vulnerability
Anything that can harm your resources or could potentially result in a security violation.
Exploit
The act of taking advantage of an identified vulnerability
Threat Vector
A path or a tool that a Threat Actor uses to attack the target.
Internal Threat
biggest threat because they know your network.
Asset Value (AV)
An asset is defined as any item that has positive economic value.
Exposure Factor (EF)
The portion of an assets value that is likely to be damaged or destroyed by a threat
Single Loss Expectancy (SLE)
AV x EF = SLE
Asset Value x Exposure Factor = Single Loss Expectancy
Represents how much you could expect to lose should a single event occur
Annualized Rate of Occurrence (ARO)
How often an event is expected to occur in a single year.
Often drawn from Historical data.
Annualized Loss Expectancy (ALE)
The monetary measure of how much loss a business could expect in a year.
SLE x ARO = ALE
Single Loss Expectancy x Annualized Rate of Occurrance = Annualized Loss Expectancy
Suppose that an asset is valued at $100,000 with 25% exposure to a threat.
A threat event is expected to occur twice a year.
100,000 X .25 = 25,000
25,000 x 2 = 50,000
Likelihood of Occurrence
Refers to the probability that a threat event will happen
Quantitative Analysis
Refers to the clearest measure (Your have receipts)
Qualitative Analysis
What you feel its worth.
Acceptance
Accepting the threat without any mitigation.
Often the choice that you must make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition.
Avoidance
Involves identifying the risk and making the decision to no longer engage in the actions associated with that risk
Mitigation
Accomplished any time you take steps to reduce risk
Transference
Involves bringing in a third party and share the risk.
INSURANCE is transference
Change Management
A methodology for making modifications to a system and keeping track of those changes.
(Documentation of changes)
You’re the administrator of a web server that generates $25,000 per hour in revenue. The probability of the web server failing during the year is estimated to be 25 percent. A failure would lead to three hours of downtime and cost $5,000 in components to correct. What is the ALE?
25,000 x 3 = 75,000
75,000 + 5,000 = 80,000
80,000 x .25 = 20,000
$20,000
Regarding qualitative versus quantitative measures, which of the following statements is true?
A. Quantitative measures evaluate risk based on a subjective assessment
B. Qualitative measures are less precise
C. Qualitative measures are easier to measure for ROI/RROI
D. Quantitative measures are always better than qualitative measures
B. Qualitative measures are less precise
Sara, the Chief Security Officer (CSO), has had four security breaches during the past two years. Each breach has cost the company $3,000. A third party vendor has offered to repair the security hole in the system for $25,000. The breached system is scheduled to be replaced in five years. Which of the following should Sara do to address the risk? A. Accept the risk saving $10,000. B. Ignore the risk saving $5,000. C. Mitigate the risk saving $10,000. D. Transfer the risk saving $5,000.
D. Transfer the risk saving $5,000.
