Chapter 2

Question 1

Likelihood

Answer 1

Likelihood of occurrence quantifies the probability of a threat materializing, considering factors such as intent, capability, targeting, and its potential to cause harm.

Question 2

Likelihood Assessment Process

Answer 2

Organisations follow a three-step process, evaluating the likelihood of a threat event, the potential harm it could cause, and combing these assessments to gauge the overall likelihood of the threat’s impact.

Question 3

Threat-Vulnerability Pairing

Answer 3

Threat-vulnerability paring involves identifying and linking particular threats to vulnerabilities within a system.

Question 4

Challenges in Threat-Vulnerability Pairing

Answer 4

Challenges include dealing with numerous threats and vulnerabilities, a lack of useful detail, multiple weaknesses for a single threat, and cases where no effective security controls exist.

Question 5

Threat Shifting

Answer 5

Threat shifting occurs when attackers change their strategies after seeing that the organisation has implemented more security controls.

Question 6

Uncertainty

Answer 6

Dealing with unknowns in risk assessment.

Question 7

Risk Assessment Methodology

Answer 7

A risk assessment methodology comprises a well-defined process, risk model, assessment approach, and analysis approach.

Question 8

Timeframe in Risk Assessment

Answer 8

Risk assessments adapt to the timeframe available for planning investment decisions, and policy changes.

Question 9

Complexity in Risk Assessment

Answer 9

When things get complicated, we use different risk assessment methods that fit the organization’s unique situation and the specific risks we’re dealing with.

Question 10

Development Stage in Risk Assessment

Answer 10

The point at which a system is being created or developed affects how we look at risks, making sure we deal with them at the right times during the development process.

Question 11

Risk Model

Answer 11

Risk model are like blueprints that help us understand and measure risk. They define risk factors and relationships.

Question 12

Risk Factors

Answer 12

Risk factors include threats, vulnerabilities and impacts, shaping the risk landscape within a system and their potential consequences.

Question 13

Relationships in Risk Models

Answer 13

Risk models illustrate the intricate relationships between factors like likelihood and impact, providing insights into how these elements interact within a risk context.

Question 14

Threat Event

Answer 14

A threat event signifies the realisation of a threat.

Question 15

Threat Source

Answer 15

Threat sources can be individuals, situations, or technical anomalies that have the potential to introduce harmful elements into an organisations environment.

Question 16

Types of Threat Sources

Answer 16

Threat sources encompass hostile attacks, human errors, resource failures, and natural disasters, each posing distinct challenges to an organisations security posture.

Question 17

Threat Scenarios

Answer 17

Threat scenarios involve constructing narratives that explore how threats may manifest.

Question 18

Predisposing Conditions

Answer 18

Predisposing conditions are things in an organisation, like how it works, its technology, or the environment, that can make a security threat either more likely to happen or less severe if it does.

Question 19

Quantitative Assessment

Answer 19

Quantitative assessments use numbers to measure risks, providing precise details but requiring explanations at times.

Question 20

Qualitative Assessment

Answer 20

qualitative assessments describe risks with words like ‘low’, ‘medium’, or ‘high’, making it suitable for decision makers but less detailed and potentially subjective.

Question 21

Semi-Quantitative Assessment

Answer 21

Semi-Quantitative Assessment combine numbers and words, using categories or scales for better understanding but relying on expert judgement.

Question 22

Analysis Approaches

Answer 22

Three main ways: threat orientated, asset/impact orientated and vulnerability orientated.

Question 22

Effects of Organisational Culture

Answer 22

Organisational culture influences risk assessment methods and may lead to variations in approaches within the same organisation.

Question 23

Flow of Risk Information

Answer 23

Results from lower tier risk assessments inform higher tier decisions.

Question 23

Risk Assessment at Organisational Tier

Answer 23

At the organisational tier, risk assessments help shape policies, identify vulnerabilities and consider the impact of new technologies, often involving input from different parts of the organisation.

Question 24

Risk Assessments at the Mission/Business Process Tier

Answer 24

At the mission/business process tier, risk assessments focus on protecting critical processes and selecting security measures.

Question 25

Risk Assessments at the Information Systems Tier

Answer 25

At the information systems tier, risk assessments are conducted to evaluate the security of computer systems throughout their development, deployment and operations stages.

Question 26

RMF Step 1 Categorisation

Answer 26

Initial risk assessments guide the categorisation of information systems based on threats and vulnerabilities.

Question 27

RMF Step 2 Select

Answer 27

Selecting security controls for information systems.

Question 28

RMF Step 3 Implement

Answer 28

Organisations use risk assessment findings to find different ways to apply selected security controls.

Question 29

RMF Step 4 Assess

Answer 29

Security control assessments find vulnerabilities in systems.

Question 30

RMF Step 5 Authorise

Answer 30

Based on risk assessments, authorising officials decide whether to operate the systems as they are or add more security controls.

Question 31

RMF Step 6 Monitor

Answer 31

Organisations regularly update risk assessments with data from continuous monitoring. This data checks security controls, tracks systems changes, and ensures compliance with laws and standards.