Ch8: Using Risk Management Tools Flashcards
Threat
a potential danger
Threat assessment
evaluates potential threats
Environmental threats
include natural threats such as weather events
Manmade threats
any potential dangers from people and can be either malicious or accidental
Internal threats
typically refers to employees within an organization
External threats
any source outside an organization
Handling risk…
It is not possible to eliminate risk, but you can take steps to manage it
An organization can avoid risk by
not providing a service or not participating in a risky activity
Insurance
transfers the risk to another entity
You can mitigate risk by
implementing controls. But when the cost of implementing the controls exceeds the cost of the risk, an organization accepts the remaining (residual) risk
Quantitative risk assessment
uses specific monetary amounts to identify cost and asset values
SLE
Single loss expectancy identifies the amount of each loss
ARO
Annual rate of occurence identifies the number of failures in a year
ALE
Annual loss expectancy identifies the expected annual loss
ALE equation
ALE = SLE x ARO
Qualitative risk assessment
uses judgment to categorize risks based on likelihood of occurrence and impact
Risk register
a comprehensize document listing known information about risks. Typically includes risk scores along with recommended security controls to reduce the risk scores
Supply chain assessment
evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product
Password crackers
attempt to discover passwords and can identify weak passwords or poorly protected passwords