Chapter 2 Flashcards

1
Q

Likelihood

A

Likelihood of occurrence quantifies the probability of a threat materializing, considering factors such as intent, capability, targeting, and its potential to cause harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Likelihood Assessment Process

A

Organisations follow a three-step process, evaluating the likelihood of a threat event, the potential harm it could cause, and combing these assessments to gauge the overall likelihood of the threat’s impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Threat-Vulnerability Pairing

A

Threat-vulnerability paring involves identifying and linking particular threats to vulnerabilities within a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Challenges in Threat-Vulnerability Pairing

A

Challenges include dealing with numerous threats and vulnerabilities, a lack of useful detail, multiple weaknesses for a single threat, and cases where no effective security controls exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Threat Shifting

A

Threat shifting occurs when attackers change their strategies after seeing that the organisation has implemented more security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Uncertainty

A

Dealing with unknowns in risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk Assessment Methodology

A

A risk assessment methodology comprises a well-defined process, risk model, assessment approach, and analysis approach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Timeframe in Risk Assessment

A

Risk assessments adapt to the timeframe available for planning investment decisions, and policy changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Complexity in Risk Assessment

A

When things get complicated, we use different risk assessment methods that fit the organization’s unique situation and the specific risks we’re dealing with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Development Stage in Risk Assessment

A

The point at which a system is being created or developed affects how we look at risks, making sure we deal with them at the right times during the development process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Model

A

Risk model are like blueprints that help us understand and measure risk. They define risk factors and relationships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Factors

A

Risk factors include threats, vulnerabilities and impacts, shaping the risk landscape within a system and their potential consequences.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Relationships in Risk Models

A

Risk models illustrate the intricate relationships between factors like likelihood and impact, providing insights into how these elements interact within a risk context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Threat Event

A

A threat event signifies the realisation of a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Threat Source

A

Threat sources can be individuals, situations, or technical anomalies that have the potential to introduce harmful elements into an organisations environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of Threat Sources

A

Threat sources encompass hostile attacks, human errors, resource failures, and natural disasters, each posing distinct challenges to an organisations security posture.

17
Q

Threat Scenarios

A

Threat scenarios involve constructing narratives that explore how threats may manifest.

18
Q

Predisposing Conditions

A

Predisposing conditions are things in an organisation, like how it works, its technology, or the environment, that can make a security threat either more likely to happen or less severe if it does.

19
Q

Quantitative Assessment

A

Quantitative assessments use numbers to measure risks, providing precise details but requiring explanations at times.

20
Q

Qualitative Assessment

A

qualitative assessments describe risks with words like ‘low’, ‘medium’, or ‘high’, making it suitable for decision makers but less detailed and potentially subjective.

21
Q

Semi-Quantitative Assessment

A

Semi-Quantitative Assessment combine numbers and words, using categories or scales for better understanding but relying on expert judgement.

22
Q

Analysis Approaches

A

Three main ways: threat orientated, asset/impact orientated and vulnerability orientated.

22
Q

Effects of Organisational Culture

A

Organisational culture influences risk assessment methods and may lead to variations in approaches within the same organisation.

23
Q

Flow of Risk Information

A

Results from lower tier risk assessments inform higher tier decisions.

23
Q

Risk Assessment at Organisational Tier

A

At the organisational tier, risk assessments help shape policies, identify vulnerabilities and consider the impact of new technologies, often involving input from different parts of the organisation.

24
Q

Risk Assessments at the Mission/Business Process Tier

A

At the mission/business process tier, risk assessments focus on protecting critical processes and selecting security measures.

25
Q

Risk Assessments at the Information Systems Tier

A

At the information systems tier, risk assessments are conducted to evaluate the security of computer systems throughout their development, deployment and operations stages.

26
Q

RMF Step 1 Categorisation

A

Initial risk assessments guide the categorisation of information systems based on threats and vulnerabilities.

27
Q

RMF Step 2 Select

A

Selecting security controls for information systems.

28
Q

RMF Step 3 Implement

A

Organisations use risk assessment findings to find different ways to apply selected security controls.

29
Q

RMF Step 4 Assess

A

Security control assessments find vulnerabilities in systems.

30
Q

RMF Step 5 Authorise

A

Based on risk assessments, authorising officials decide whether to operate the systems as they are or add more security controls.

31
Q

RMF Step 6 Monitor

A

Organisations regularly update risk assessments with data from continuous monitoring. This data checks security controls, tracks systems changes, and ensures compliance with laws and standards.