Chapter 2 Risk Management Flashcards

1
Q

Key Points 1

A

Security’s primary objective is to manage risks by balancing the cost of protection measures to the benefit of those measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key Points 2

A
There are six steps in the risk assessment process:
Identify and value assets
Identify threats
Determine the vulnerabilities
Impact of a loss event
Analysis and prioritization
Mitigation baseline approach
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Key Points 3

A

Assets can be categorized into three categories: 1) tangible, 2) intangible, and 3) mixed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Key Points 4

A

Assets can be valued using two methods: 1) relative value, and 2) cost-of-loss formula

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Points 5

A

Threats can be characterized as:1) natural, 2) intentional, and 3) inadvertent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Key Points 6

A

The difference between a vulnerability and a threat is that a vulnerability allows some level of control. Threats are typically outside of the control of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Key Points 7

A

Impact is usually measured in financial terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Key Points 8

A

Analyzing risk can be achieved in two basic steps: 1) calculation of impact, and 2) prioritization the identified risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Key Points 9

A

When choosing mitigation measures, it is important to consider the potential adverse effect each strategy may have on the operations of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Key Points 10

A

One approach to determining risk results uses a basic Risk Formula: (Threat x Vulnerability x Impact)1/3 = Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Key Points 11

A

Determining mitigation measures can be done using four steps: 1) select, 2) test, 3) implement, and 4) trai

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key Points 12

A

The difference between qualitative and quantitative assessments:
Qualitative Assessment - uses a general range or description such as high, medium and low to describe asset value and risk element calculations. Typically used for low-value assets or operations.
Quantitative Assessment - uses specific numerical values and scientific formulas to describe asset value and risk element calculations. Typically used for high-value assets or operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key Points 13

A

Five methods of addressing risk: 1) risk avoidance, 2) risk spreading, 3) risk transfer, 4) risk reduction or 5) combination of any or all methods

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key Points 14

A

A security survey is a thorough examination of a facility, its operations, systems, and procedures. It is conducted to assess the current level of security, determine any vulnerabilities, and assess the level of protection needed to address those vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Key Points 15

A

A cost-benefit analysis typically consists of three factors: 1) cost, 2) reliability, and 3) delay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key Points 16

A

Three survey approaches: 1) outside-in approach, 2) inside-out approach, and 3) functional (Security Discipline) approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Key Points 17

A

A SWOT Analysis focuses on Strengths, Weaknesses, Opportunities, and Threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Key Points 18

A
Criteria of a Security Survey Report:
Accurate
Clarity
Concise
Timeliness
Consider slant or pitch
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Key Points 19

A

Automated assessment tools can be of assistance when you are processing, analyzing, comparing, and storing large amounts of data. Automated tools are not good at assessing the intangible factors in the assessment process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Management

A

A business discipline that consists of three major functions: 1) loss prevention, 2) loss control, and 3) loss indemnification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk

A

The likelihood of a resulting loss from a threat, security incident, or event.

22
Q

Indirect Cost Examples

A
Equipment rentals
Leased facilities
Counseling/benefits
Loss of market share
Public relations
Increased insurance premiums
Alternative suppliers and vendors
Temporary workers and administrative support
Additional security (officers, equipment, etc.)
23
Q

Tangible Assets

A

Assets that can be seen and felt.

24
Q

Intangible Assets

A

Assets that are not seen or felt, such as reputation, good will, etc.

25
Mixed Assets
Assets with both qualities, such as humans, clientele, etc.
26
Relative Value
Based on priority (usually expressed as a number, 1 = Low and 5 = High
27
Cost-of-Loss Formula
A basic cost-of-loss formula is: Cp + Ct + Cr + Ci - I = K ``` Cp = Permanent replacement cost Ct = Temporary replacement cost Cr = Related costs (removal, operational impact, installation, etc.) Ci = Lost income cost I = Insurance or indemnity coverage K = Total cost of Loss ```
28
Security Risk Rating
Asset Value Rating × Threat Likelihood Rating × Severity (Impact) Rating × Vulnerability Rating
29
Vulnerability
A weakness or organizational practice that may allow a threat to be realized or increases the magnitude of a loss event.
30
Threat Characterizations
Natural Intentional (man-made) Inadvertent (accidents, errors and omissions)
31
Questions to ask on Inadvertent Threat
Is security aware of the vulnerability? | Is there a potential for a loss event?
32
Impact
The severity of the situation when an incident occurs. Impact is usually measured in financial terms. In addition to impact, many risk management models will assess the likelihood or probability that a loss event will occur.
33
Likelihood of Occurrence and Assest Risk Exsposure Factor's
``` Historical events Physical environment Political environment Social environment Procedures and processes Criminal capabilities ```
34
Risk analysis
The process of identifying potential areas of loss (at a specific time and place) and implementing countermeasures to mitigate the potential for the loss. Analyzing risk can be achieved in two basic steps: Calculation of impact and prioritization of the identified risks.
35
Risk Formula
(Threat × Vulnerability × Impact)1/3 = Risk This formula uses multiplication, rather than addition, to determine the value. Each element is scaled from 0-100 so if any element of threat, vulnerability, and impact is zero then the resulting risk is zero.
36
Mitigation measures
Determining which protective measures to implement in the effort to mitigate risk can be a difficult task. It is important to consider budgetary constraints and available resources; however, it is more common to consider the potential adverse effect each strategy may have on the operations of the organization. It should also be balanced using sound strategies and operational requirements and should consider the psychological impact it may have on people.
37
Four Steps for Detemining Protective Measures
Select - options and alternatives (capabilities, cost, urgency, convenience, aesthetics, etc.) Test - environmental conditions, integration with other systems, does the solution work, etc. Implement - disruption, costs, notifications, policy and procedure changes, time required to implement Train - staff and maintenance personnel
38
Qualitative Assessments
Uses a general range or description such as high, medium, and low to describe asset value and risk element calculations. This is typically used for low-value assets or operations and to describe basic security applications. It offers a quicker process and is less expensive to perform than a quantitative assessment.
39
Quantitative Assessments
Uses specific numerical values and scientific formulas to describe asset value and risk element calculations. This is typically used for high-value assets or operations, and to describe PPS values such as detect, delay, and response.
40
Five Methods To Address Risk
1. Risk Avoidance(Elimination of Risk Source) 2. Risk Assumption or Acceptance(Organization is liable for loss) 3. Risk Reduction(Taking action to reduce loss) 4. Risk Transfer(Insurance) 5. Risk Spreading(Multiple site or assest distribution)
41
Security Survey
A thorough, onsite examination of a facility, its operations, systems, and procedures to assess the current level of security, identify any deficiencies, and determine the level of security needed to protect assets.
42
Security Survey Purpose
- Determine the existing level or posture of security - Identify any vulnerabilities or deficiencies in current security measures - Compare the current level of security with the appropriate level of protection needed - Make recommendations to improve security and address any vulnerabilities
43
Survey Vulnerabilties
- Ease of access to the site or area - Inadequate existing security measures - Lack of redundant security measures or critical function back-ups - Single points of failure (example: a lock is the only protection measure) - Storage of hazardous materials - Collateral damage risk (example: site is adjacent to train tracks that transport dangerous chemicals) - Lack of an effective response and recovery
44
Cost Benefit Analysis Factors
Cost - acquisition, operational, and replacement costs Reliability - demonstration of technology and benchmarking with others who have already implemented the solution Delay - costs associated with delay and time it takes to make it fully operational
45
Survey Approaches
Outside-In Approach Inside-Out Approach Functional(Security Discipline) Approach
46
Outside-In Approach
The assessor begins the survey from outside the perimeter and moves inward towards the assets. This approach considers security measures from an attacker’s point of view and is considered a “free reign” approach.
47
Inside-Out Approach
The assessor begins at the asset and works their way outward towards the unprotected or public area. This approach is from a “defender” point of view.
48
Functional(Security Discipline) Approach
his is where the assessor addresses each security function individually. The survey should include environmental factors, neighboring operations, and policies and procedures as part of the analysis. It considers assessing security functions in the following order: ``` Security Architecture and Engineering Structural Security Measures Crime Prevention Through Environmental Design (CPTED) Electronic Security Systems Security Officers and the Human Element ```
49
SWOT analysis
A SWOT Analysis is a tool that can support the security survey process that focuses on the Strengths, Weaknesses, Opportunities, and Threats. It is a situational business process that can be adapted to security, which focuses on internal and external factors.
50
Survey Systems tests
Testing shipping and receiving controls. Testing intrusion detection alarms and the response to the alarms. Computer lab/Data room security measures during working and non-working hours. Testing access controls by trying to gain unauthorized access during working and nonworking hours.