Chapter 2 Flashcards
Likelihood
Likelihood of occurrence quantifies the probability of a threat materializing, considering factors such as intent, capability, targeting, and its potential to cause harm.
Likelihood Assessment Process
Organisations follow a three-step process, evaluating the likelihood of a threat event, the potential harm it could cause, and combing these assessments to gauge the overall likelihood of the threat’s impact.
Threat-Vulnerability Pairing
Threat-vulnerability paring involves identifying and linking particular threats to vulnerabilities within a system.
Challenges in Threat-Vulnerability Pairing
Challenges include dealing with numerous threats and vulnerabilities, a lack of useful detail, multiple weaknesses for a single threat, and cases where no effective security controls exist.
Threat Shifting
Threat shifting occurs when attackers change their strategies after seeing that the organisation has implemented more security controls.
Uncertainty
Dealing with unknowns in risk assessment.
Risk Assessment Methodology
A risk assessment methodology comprises a well-defined process, risk model, assessment approach, and analysis approach.
Timeframe in Risk Assessment
Risk assessments adapt to the timeframe available for planning investment decisions, and policy changes.
Complexity in Risk Assessment
When things get complicated, we use different risk assessment methods that fit the organization’s unique situation and the specific risks we’re dealing with.
Development Stage in Risk Assessment
The point at which a system is being created or developed affects how we look at risks, making sure we deal with them at the right times during the development process.
Risk Model
Risk model are like blueprints that help us understand and measure risk. They define risk factors and relationships.
Risk Factors
Risk factors include threats, vulnerabilities and impacts, shaping the risk landscape within a system and their potential consequences.
Relationships in Risk Models
Risk models illustrate the intricate relationships between factors like likelihood and impact, providing insights into how these elements interact within a risk context.
Threat Event
A threat event signifies the realisation of a threat.
Threat Source
Threat sources can be individuals, situations, or technical anomalies that have the potential to introduce harmful elements into an organisations environment.
Types of Threat Sources
Threat sources encompass hostile attacks, human errors, resource failures, and natural disasters, each posing distinct challenges to an organisations security posture.
Threat Scenarios
Threat scenarios involve constructing narratives that explore how threats may manifest.
Predisposing Conditions
Predisposing conditions are things in an organisation, like how it works, its technology, or the environment, that can make a security threat either more likely to happen or less severe if it does.
Quantitative Assessment
Quantitative assessments use numbers to measure risks, providing precise details but requiring explanations at times.
Qualitative Assessment
qualitative assessments describe risks with words like ‘low’, ‘medium’, or ‘high’, making it suitable for decision makers but less detailed and potentially subjective.
Semi-Quantitative Assessment
Semi-Quantitative Assessment combine numbers and words, using categories or scales for better understanding but relying on expert judgement.
Analysis Approaches
Three main ways: threat orientated, asset/impact orientated and vulnerability orientated.
Effects of Organisational Culture
Organisational culture influences risk assessment methods and may lead to variations in approaches within the same organisation.
Flow of Risk Information
Results from lower tier risk assessments inform higher tier decisions.
Risk Assessment at Organisational Tier
At the organisational tier, risk assessments help shape policies, identify vulnerabilities and consider the impact of new technologies, often involving input from different parts of the organisation.
Risk Assessments at the Mission/Business Process Tier
At the mission/business process tier, risk assessments focus on protecting critical processes and selecting security measures.
Risk Assessments at the Information Systems Tier
At the information systems tier, risk assessments are conducted to evaluate the security of computer systems throughout their development, deployment and operations stages.
RMF Step 1 Categorisation
Initial risk assessments guide the categorisation of information systems based on threats and vulnerabilities.
RMF Step 2 Select
Selecting security controls for information systems.
RMF Step 3 Implement
Organisations use risk assessment findings to find different ways to apply selected security controls.
RMF Step 4 Assess
Security control assessments find vulnerabilities in systems.
RMF Step 5 Authorise
Based on risk assessments, authorising officials decide whether to operate the systems as they are or add more security controls.
RMF Step 6 Monitor
Organisations regularly update risk assessments with data from continuous monitoring. This data checks security controls, tracks systems changes, and ensures compliance with laws and standards.
