Chapter 13 Risk Strategies

Question 1

What type of risk assessment would use likelihood and impact to produce a numerical risk rating?

A. Qualitative Assessment
B. Gap Assessment
C. Quantitative risk assessment
D. Impact assessment

Answer 1

A. Qualitative Assessment

Question 2

What type of risk assessment would use metrics including asset value, monetary loss during an event and a value that could be expected to be lost during the course of a year?

A. Qualitative assessment
B. Gap assessment
C. Quantitative Risk Assessment
D. Impact Assessment

Answer 2

C. Quantitative Risk Assessment

Question 3

What is the metric that is used to calculate the loss during a single event?

A . Efficiency factor (EF)
B. ALE
C. SLE
D. ARO

Answer 3

C. SLE

Question 4

If my database is worth $100,000 and a competitors steals 10% of the records during a breach of the network and this happens twice a year, what is the SLE?

A. $100,000
B. $1,000
C. $20,000
D. $10,000

Answer 4

D. $10,000

Question 5

If my database is worth $100,000 and a competitors steals 10% of the records during a breach of the network and this happens twice a year, what is the ALE?

A. $200,000
B. $1,000
C. $20,000
D. $10,000

Answer 5

C. $20,000

Question 6

A company currently loses $02,000 each year due to IP breaches. A managed security service provider (MSSP) guarantees to provide 100% protection for the database over a 5 year contract at an annual cost of $15,000 per annum, What is the ROI in $?

A. $75,000
B. $25,000
C. $125,000
D. $2,500

Answer 6

B. $25,000

Question 7

If my risk management team need to understand where the business may be lacking security controls, what should they perform?

A. Qualitative assessment
B. Gap assessment
C. Quantitative risk assessment
D. Impact assessment

Answer 7

B. Gap assessment

Question 8

What type of risk response would purchasing cyber liability insurance be classed as?

A. Transfer
B. Accept
C. Avoid
D. Mitigate

Answer 8

A. Transfer

Question 9

What would be considered both a deterrent and useful security practice to ensure employees’ job performance can be audited when they are not present?

A. Job rotation
B. Mandatory vacation
C. Least privilege
D. Auditing

Answer 9

B. Mandatory vacation

Question 10

What is the term for risk that is present within an industry, prior to any controls?

A. Remaining
B. Residual
C. Inherent
D. Acceptance

Answer 10

C. Inherent

Question 11

What is the metric that an organization can use to measure the amount of time that was taken to restore services?

A. MTTR
B. MTBF
C. ALE
D. ARO

Answer 11

A. MTTR

Question 11

What is the term for risk that remains within an industry, after the deployment of security controls?

A. Remaining
B. Residual
C. Inherent
D. Acceptance

Answer 11

B. Residual

Question 12

What is the metric that an organization can use to measure the reliability of a service?

A. MTTR
B. MTBF
C. ALE
D. ARO

Answer 12

B. MTBF

Question 13

What type of risk response may be considered by a financial start up company with a high risk appetite if the potential rewards are significant and the risk is minimal?

A. Transfer
B. Accept
C. Avoid
D. Reject

Answer 13

B. Accept

Question 14

What is a good practice when assigning users privileges to reduce the risk of over privileged accounts?

A. SoD
B. Job rotation
C. Mandatory vacation
D. Least privilege

Answer 14

D. Least privilege

Question 15

What is an organizational policy that would make it less likely that a user will insert a USB storage device that they received at an exposition?

A. Training and awareness
B. Auditing
C. DLP Controls
D. AUP

Answer 15

A. Training and awareness

Question 16

What will an enterprise use to track activities that may lead to enterprise risk?

A. Key risk indicators
B. Risk appetite
C. Risk tolerance
D. Trade off analysis

Answer 16

A. Key risk indicators

Question 17

What is the term that is used to describe the situation where a vendor has proprietary technology that makes it difficult for a customer ti switch vendor?

A. Vendor risk
B, Vendor lock in
C. Third party liability
D. Vendor management plan

Answer 17

B, Vendor lock in

Question 18

If a customer is concerned that a third party development may go bust during an engagement, what can they use to ensure they will have access to the source code?

A. Change management
B. Staff turnover
C. Peer code review
D. Source code escrow

Answer 18

D. Source code escrow

Question 19

What is the metric that an organization should use to calculate the total loss during a year?

A. MTTR
B. MTBF
C. ALE
D. ATO