Chapter 2- Personnel Security and Risk Management Concepts

Question 1

UBA

Answer 1

User Behavior Analytics
Analyzing behavior of users, customers, etc for specific purpose

Question 2

UEBA

Answer 2

User and Entity Behavior Analytics
Analysis of users and devices, networks, applications, etc that can correlate to an intrusion, reconnaissance, vulnerability, etc

Question 3

VMS

Answer 3

Vendor Management System
Software solution that assists with managing and procuring staffing services, hardware, software, and other needed products or services. From a security perspective, can potentially keep communications and contracts confidential

Question 4

Risk Management

Answer 4

Process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

Primary goal is to reduce risk to acceptable level.

Question 5

Risk Analysis/Assessment

Answer 5

Examination of an environment for risks, the likelihood of occurrence, severity of damage it would cause, and assessing cost of various countermeasures. Results in a sorted prioritization of risks.

Question 6

Risk Response

Answer 6

Evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis and providing a proposal of response options in a report to senior management. If approved, responses are implemented into IT infrastructure and added to policy.

Question 7

Risk Awareness

Answer 7

Effort to increase knowledge of the risks within an organization. Includes understanding value of assets, inventorying existing threats that can harm those assets, and the responses implemented to address those risks.

Question 8

Asset

Answer 8

Any person, place, or thing (tangible or not) that is used in a business process or task

Question 9

Asset Valuation

Answer 9

Evaluating or appraising each asset based on multiple factors- cost, criticality, etc. This ensures that only cost-effective safeguards are deployed (i.e. it makes no sense to spend $100,000 protecting something only worth $1000)

Question 10

Threats

Answer 10

Any potential occurrence that may cause an undesirable or unwanted outcome for the organization or a specific asset

Question 11

Exposure

Answer 11

Being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat actor or event

Question 12

Risk

Answer 12

The possibility or likelihood that a threat will exploit a vulnerability to cause harm and the severity of damage that could result

Question 13

Risk Formulas

Answer 13

risk = threat * vulnerability
or
risk = probability of harm * severity of harm

Question 14

Prudent Actions vs Reasonable Actions

Answer 14

Prudent actions are characterized by an above-average level of caution and diligence
Reasonable actions are aligned with common expectations and societal norms

Question 15

Quantitative vs Qualitative Risk Assessment

Answer 15

Quantitative assigns real dollar value to the loss of an asset and is based on math
Qualitative assigns subjective and intangible values like perspectives, feelings, preferences, etc

Question 16

Delphi Technique

Answer 16

Anonymous feedback and response process used to enable a group to reach an anonymous consensus. Primary purpose is to elicit honest and uninfluenced responses from participants. Results presented to participants, then process repeated until consensus reached.

Question 17

The six major elements of quantitative risk analysis

Answer 17

Assign Asset Value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE)
Assess the Annualized Rate of Occurrence (ARO)
Derive the Annualized Loss Expectancy (ALE)
Perform cost/benefit analysis of countermeasures

Question 18

Exposure Factor (EF)

Answer 18

Percentage of loss that an organization would experience if a specific asset were violated by a realized risk
Aka Loss Potential

Question 19

Single Loss Expectancy (SLE)

Answer 19

Potential loss associated with a single realized threat against a specific asset. Indicates the potential amount of loss an organization would experience
Calculation:
SLE = asset value (AV) * exposure factor (EF)

Question 20

Annualized Rate of Occurrence (ARO)

Answer 20

Expected frequency with which a specific threat or risk will occur within a single year. Can be calculated using historical data, statistical analysis, working with consultants, etc

Question 21

Annualized Loss Expectancy (ALE)

Answer 21

Possible yearly loss of all instances of a specific realized threat against a specific asset
Calculation:
ALE = asset value (AV) * exposure factor (EF) * annualized rate of occurrence (ARO)