Chapter 2 Risk Management Flashcards

1
Q

Key Points 1

A

Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key Points 2

A
There are six steps in the risk assessment process:
Identify and value assets
Identify threats
Determine the vulnerabilities
Impact of a loss event
Analysis and prioritization
Mitigation baseline approach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Key Points 3

A

Assets can be categorized into three categories: 1) tangible, 2) intangible, and 3) mixed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Key Points 4

A

Assets can be valued using two methods: 1) relative value, and 2) cost-of-loss formula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Points 5

A

Threats can be characterized as:1) natural, 2) intentional, and 3) inadvertent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Key Points 6

A

The difference between a vulnerability and a threat is that a vulnerability allows some level of control. Threats are typically outside of the control of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Key Points 7

A

Impact is usually measured in financial terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Key Points 8

A

Analyzing risk can be achieved in two basic steps: 1) calculation of impact, and 2) prioritization the identified risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Key Points 9

A

When choosing mitigation measures, it is important to consider the potential adverse effect each strategy may have on the operations of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Key Points 10

A

One approach to determining risk results uses a basic Risk Formula: (Threat x Vulnerability x Impact)1/3 = Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Key Points 11

A

Determining mitigation measures can be done using four steps: 1) select, 2) test, 3) implement, and 4) trai

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key Points 12

A

The difference between qualitative and quantitative assessments:
Qualitative Assessment - uses a general range or description such as high, medium and low to describe asset value and risk element calculations. Typically used for low-value assets or operations.
Quantitative Assessment - uses specific numerical values and scientific formulas to describe asset value and risk element calculations. Typically used for high-value assets or operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key Points 13

A

Five methods of addressing risk: 1) risk avoidance, 2) risk spreading, 3) risk transfer, 4) risk reduction or 5) combination of any or all methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key Points 14

A

A security survey is a thorough examination of a facility, its operations, systems, and procedures. It is conducted to assess the current level of security, determine any vulnerabilities, and assess the level of protection needed to address those vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Key Points 15

A

A cost-benefit analysis typically consists of three factors: 1) cost, 2) reliability, and 3) delay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key Points 16

A

Three survey approaches: 1) outside-in approach, 2) inside-out approach, and 3) functional (Security Discipline) approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Key Points 17

A

A SWOT Analysis focuses on Strengths, Weaknesses, Opportunities, and Threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Key Points 18

A
Criteria of a Security Survey Report:
Accurate
Clarity
Concise
Timeliness
Consider slant or pitch
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Key Points 19

A

Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automated tools are not good at assessing the intangible factors in the assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Management

A

A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk

A

The likelihood of a resulting loss from a threat, security incident, or event.

22
Q

Indirect Cost Examples

A
Equipment rentals
Leased facilities
Counseling/benefits
Loss of market share
Public relations
Increased insurance premiums
Alternative suppliers and vendors
Temporary workers and administrative support
Additional security (officers, equipment, etc.)
23
Q

Tangible Assets

A

Assets that can be seen and felt.

24
Q

Intangible Assets

A

Assets that are not seen or felt, such as reputation, good will, etc.

25
Q

Mixed Assets

A

Assets with both qualities, such as humans, clientele, etc.

26
Q

Relative Value

A

Based on priority (usually expressed as a number, 1 = Low and 5 = High

27
Q

Cost-of-Loss Formula

A

A basic cost-of-loss formula is:

Cp + Ct + Cr + Ci - I = K

Cp = Permanent replacement cost
Ct = Temporary replacement cost 
Cr = Related costs (removal, operational impact, installation, etc.)
Ci = Lost income cost
I = Insurance or indemnity coverage
K = Total cost of Loss
28
Q

Security Risk Rating

A

Asset Value Rating × Threat Likelihood Rating × Severity (Impact) Rating × Vulnerability Rating

29
Q

Vulnerability

A

A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event.

30
Q

Threat Characterizations

A

Natural
Intentional (man-made)
Inadvertent (accidents, errors and omissions)

31
Q

Questions to ask on Inadvertent Threat

A

Is security aware of the vulnerability?

Is there a potential for a loss event?

32
Q

Impact

A

The severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.

33
Q

Likelihood of Occurrence and Assest Risk Exsposure Factor’s

A
Historical events
Physical environment 
Political environment 
Social environment
Procedures and processes
Criminal capabilities
34
Q

Risk analysis

A

The process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.

35
Q

Risk Formula

A

(Threat × Vulnerability × Impact)1/3 = Risk
This formula uses multiplication, rather than addition, to determine the value. Each element is scaled from 0-100 so if any element of threat, vulnerability, and impact is zero then the resulting risk is zero.

36
Q

Mitigation measures

A

Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization. It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.

37
Q

Four Steps for Detemining Protective Measures

A

Select - options and alternatives (capabilities, cost, urgency, convenience, aesthetics, etc.)
Test - environmental conditions, integration with other systems, does the solution work, etc.
Implement - disruption, costs, notifications, policy and procedure changes, time required to implement
Train - staff and maintenance personnel

38
Q

Qualitative Assessments

A

Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.

39
Q

Quantitative Assessments

A

Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.

40
Q

Five Methods To Address Risk

A
  1. Risk Avoidance(Elimination of Risk Source)
  2. Risk Assumption or Acceptance(Organization is liable for loss)
  3. Risk Reduction(Taking action to reduce loss)
  4. Risk Transfer(Insurance)
  5. Risk Spreading(Multiple site or assest distribution)
41
Q

Security Survey

A

A thorough, onsite examination of a facility, its operations, systems, and procedures to assess the current level of security, identify any deficiencies, and determine the level of security needed to protect assets.

42
Q

Security Survey Purpose

A
  • Determine the existing level or posture of security
  • Identify any vulnerabilities or deficiencies in current security measures
  • Compare the current level of security with the appropriate level of protection needed
  • Make recommendations to improve security and address any vulnerabilities
43
Q

Survey Vulnerabilties

A
  • Ease of access to the site or area
  • Inadequate existing security measures
  • Lack of redundant security measures or critical function back-ups
  • Single points of failure (example: a lock is the only protection measure)
  • Storage of hazardous materials
  • Collateral damage risk (example: site is adjacent to train tracks that transport dangerous chemicals)
  • Lack of an effective response and recovery
44
Q

Cost Benefit Analysis Factors

A

Cost - acquisition, operational, and replacement costs
Reliability - demonstration of technology and benchmarking with others who have already implemented the solution
Delay - costs associated with delay and time it takes to make it fully operational

45
Q

Survey Approaches

A

Outside-In Approach
Inside-Out Approach
Functional(Security Discipline) Approach

46
Q

Outside-In Approach

A

The assessor begins the survey from outside the perimeter and moves inward towards the assets. This approach considers security measures from an attacker’s point of view and is considered a “free reign” approach.

47
Q

Inside-Out Approach

A

The assessor begins at the asset and works their way outward towards the unprotected or public area. This approach is from a “defender” point of view.

48
Q

Functional(Security Discipline) Approach

A

his is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order:

Security Architecture and Engineering
Structural Security Measures
Crime Prevention Through Environmental Design (CPTED)
Electronic Security Systems
Security Officers and the Human Element
49
Q

SWOT analysis

A

A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.

50
Q

Survey Systems tests

A

Testing shipping and receiving controls.
Testing intrusion detection alarms and the response to the alarms.
Computer lab/Data room security measures during working and non-working hours.
Testing access controls by trying to gain unauthorized access during working and nonworking hours.