Chapter 5.3

Question 1

risk register

Answer 1

is a document showing the results of a risk assessment in a comprehensible format. Risk registers are commonly depicted as scatterplot graphs, where impact and likelihood represent each axis, and the plot point is associated with a legend

Question 2

risk assessment

Answer 2

evaluates the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Question 3

Risk management

Answer 3

involves mitigation (or remediation) and the overall process of reducing exposure to the effects of risk factors. Risk management can involve change management processes.

Question 4

Risk transference

Answer 4

(or sharing) means assigning risk to a third-party (such as an insurance company). Contracting a third-party to handle business processes such as quality assurance is also a form of transference.

Question 5

SLE

Answer 5

Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF).

Question 6

ALE

Answer 6

Annual Loss Expectancy (ALE) is the amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).

Question 7

ARO

Answer 7

Annual Rate of Occurrence (ARO) represents the frequency of failures for an entity and is used to gain the Annual Loss Expectancy (ALE).

Question 8

MTTF

Answer 8

Mean time to failure (MTTF) is the average time a device or component is expected to be in healthy operation.

Question 9

environment

Answer 9

is caused by a failure in the surroundings. This includes power or telecoms failure, pollution, or accidental damage.

Question 10

manmade

Answer 10

is an intentional or unintentional incident caused by a person. This includes terrorism, war, errors, and even social media issues. An automobile striking a pole is an unintentional incident.

Question 11

natural

Answer 11

Severe storms and heavy rains that cause flooding are considered to be elements of a natural disaster. Earthquakes and tornados are also examples of natural disasters.

Question 12

change management

Answer 12

is a process that should be carefully planned, with consideration for how dependent components are impacted.

Question 13

COOP

Answer 13

Continuity of Operations (COOP) is a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. Fault tolerance through redundancy of critical hardware and systems is such a process.

Question 14

Elasticity

Answer 14

Elasticity refers to refers to a system’s ability to handle changes in demand in real time.

Question 15

Legal and commercial

Answer 15

events include downloading or distributing of obscene material, defamatory comments published on social networking sites, or hijacked mail or web servers used for spam or phishing attacks.

Question 16

proactive

Answer 16

When a change is requested, it is best to use a formal process. With a proactive approach, a change management process is initiated internally to an organization. Change is usually for improvements.

Question 17

reactive

Answer 17

When a change is reactive, it is driven by external forces. In this case, the device had not yet been released to market. Had consumers discovered and reported the vulnerability, it would have been a reactive process.

Question 18

avoidance

Answer 18

Avoidance is the act of stopping a risk-bearing activity and not related to change management. For example, removing a faulty product from the market is a strategy employed to avoid risk.

Question 19

transference

Answer 19

Transference is the act of sharing or moving the risk to another party and is not related to change management. Insurance policies and utilizing third parties for services are examples of transference of risk.

Question 20

risk

Answer 20

is the likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Question 21

threat

Answer 21

A threat is the potential for an entity to exercise a vulnerability (that is, to breach security). Likelihood is the probability of a threat being realized, which is a variable used in a risk assessment.

Question 22

recovery

Answer 22

Recovery is not an action that is assessed with likelihood although it is certainly a topic for discussion during lessons learned. Recovery relates to bringing systems back online.

Question 23

controls

Answer 23

Controls are assessed in a security assessment and are not related to likelihood. Controls are put in place to prevent a security related incident.

Question 24

quantitative risk assessment

Answer 24

A quantitative risk assessment is used in assessing likelihood and risk. This method aims to assign concrete values to each risk factor and uses Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) metrics.

Question 25

qualitative risk assessment

Answer 25

A qualitative risk assessment is used in assessing likelihood and risk. The qualitative approach seeks out people’s opinions of significant risk factors.

Question 26

asset

Answer 26

An asset value is used to find the exposure factor. The problem with quantitative risk assessment is that the process of determining and assigning such a value is extremely complex and time consuming, particularly if no historical data is present.

Question 27

MTD

Answer 27

Maximum Tolerable Downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure.

Question 28

likelihood

Answer 28

Likelihood is the probability of a threat being realized. If certain data is known to be valuable, threat likelihood may be very high.

Question 29

Impact

Answer 29

Impact is the severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset, or the cost of disruption if the asset is compromised.