Domain 1: Risk Analysis Flashcards
- Valuable resources that need protection
- i.e. data, systems, people, buildings, property, etc.
Assets
- Potentially harmful occurrence
- i.e. hacker, earthquake, power outage, etc.
Threat
A weakness that can allow a threat to cause harm
Vulnerability
Formula to calculate risk:
Risk = Threat * Vulnerability
Variables that represent the severity of damage, sometimes expressed in dollars.
Impact
What other variable is sometimes added to the risk equation?
Risk = Threat * Vulnerability * Impact
Uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have.
Risk Analysis Matrix
Calculation that allows you to determine the annual cost of a loss due to a risk.
Annualized loss expectancy (ALE)
The value of the assets you are trying to protect
Asset Value (AV)
Percentage (%) of value an asset loses due to an incident
Exposure Factor (EF)
- Calculated by AV * EF
- The cost of a single loss
Single-Loss Expectancy (SLE)
The number of losses suffered per year
Annual Rate of Occurrence (ARO)
- Calculated by SLE * ARO
- Yearly cost due to a risk
Annualized Loss Expectancy (ALE)
The overall cost associated with mitigation using a safeguard.
Total Cost of Ownership (TCO)
The amount of money saved by implementing a safeguard
Return on Investment (ROI)
If the annual Total Cost of Ownership (TCO) is less than your ALE
Your have a positive ROI and have made a good choice with your safeguard implementation
If the annual Total Cost of Ownership (TCO) is higher than your ALE
You’ve made a poor choice as it relates to safeguard implementation
What three factors play a big part in determining the cybersecurity budget?
- Risk analysis
- Total Cost of Ownership (TCO)
- ROI
- Risk choice
- Sometimes it is cheaper to leave an asset unprotected, rather than make the effort and spend the money to protect it.
- Risks assessed as low likelihood are candidates for this risk
Accept the Risk
- Risk choice
- Lowering a risk to an acceptable level
Mitigating Risk
- Risk choice
- Risk is moved to another entity allowing them to handle the liability
- i.e. Insurance companies they are experts in handling risks
Transferring Risk
- Risk choice
- The process of choosing an alternate option that has less risk associated with it,
- i.e. Choosing to locate a business in Arizona instead of Florida to avoid hurricanes
Risk Avoidance
- Risk choice
- Denying that a risk exists (not acceptable)
Risk Rejection
The lowering of risk
Risk Reduction
The risk management process
Risk Analysis
The amount of risk an organization would face if no safeguards were implemented
Total Risk
Formula for total risk
Threats * vulnerabilities * asset value = total risk
* does not imply multiplication, but a combination function
- Assigns real dollar figures to the loss of an asset
- i.e. Calculating ALE
Quantitative Risk Analysis
- Assigns subjective and intangible values to the loss of an asset
- i.e. The risk analysis matrix
Qualitative Risk Analysis
Combines quantitative risk analysis for risks that can be expressed in numbers i.e. money and qualitative analysis for the remainder.
Hybrid Risk Analysis
What are the 6 steps of the risk management framework?
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Cost/benefit calculation (analysis)
ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company
- The risk that management has chosen to accept rather than mitigate
- Difference between Total risk and Controls gap
Residual Risk
- The amount of risk that is reduced by implementing safeguards
- Difference between Total risk and Residual risk
Controls Gap
