Domain 1. Security and Risk Management Flashcards
1
Q
You attempt to access your online banking account and are redirected to another website. What is this and how to prevent it?
A
Pharming attack. Implement DNSSEC to prevent.
2
Q
After you repair the user’s computer and ensure that the problem is fixed, what you should do next?
A
Provide the user with a list of the company’s approved software prior to taking any other action.
3
Q
Best described as ignoring the cost of loss when replacement expenses are less than the cost to mitigate the problem.
For example: installing software that is known to have vulnerabilities.
A
Risk acceptance.
4
Q
Determining the cost-effectiveness of mitigating the potential harm or loss to a company.
A
Risk management.
5
Q
The process of evaluating threats to ascertain the amount of vulnerability they represent to a company.
A
Risk assessment.
6
Q
Quantifying the weakness of an asset owned by the company.
A
Vulnerability assessment.
7
Q
Involves storing and maintaining data and hardware in an offsite location so that the alternate assets can be used in the event that a disaster damages hardware and data at the primary facility.
A
Disaster recovery (DR).
8
Q
The process of securing weak points in a security implementation. And attempts to close all avenues a malicious user could exploit to gain unauthorized access to a network.
A
Network hardening.
9
Q
The process of simulating a malicious attack on a system to identify and exploit potential weaknesses in network security. And provides insight into the methods a malicious user might employ in an attempt to compromise a network.
A
Penetration testing.
10
Q
Must endorse a company’s security policy in order to promote company-wide acceptance.
Responsible for ensuring that all of company’s assets, both physical and logical, are protected.
A
Senior management.
11
Q
Indicates why a company should have employees acknowledge that they have read and understood the company’s security policy?
A
To ensure that the company is protected.
12
Q
Not accurate regarding security policy best practices?
A
Policies need to be changed every year.
13
Q
Policy reviews should include the following:
A
Need to be reviewed at least once per year.
Reviews should follow a formal process.
Should include an analysis of any security incidents that have occured.
14
Q
To determine the precise components of the policy that need to be rewritten to obtain the desired outcome. And a process by which an existing security policy is compared to a desired outcome.
A
Gap analysis.
15
Q
It’s a discretionary document. And provide helpful bits of advice to employees. Since they are discretionary, employees are not required to follow this, even though they probably should.
A
Guidelines.
16
Q
A comprehensive security program includes the following components:
A
Policies, Procedures, Standards, Baselines, and Guidelines.
17
Q
Provide a high-level overview of the company’s security posture, creating the basic framework upon which a company’s security program is based. Contains mandatory directives that employees must follow.
A
Policies.
18
Q
A well-formed policy should include the following four elements:
A
Purpose - the reason the policy exists.
Scope - the entities that are covered by the policy.
Responsibilities - the things that covered individuals must do to comply with the policy.
Compliance - how to measure the effectiveness of the policy and the consequences for violating the policy.
19
Q
Are low-level guides that explain how to accomplish a task. And are specific and providing as much as detail as possible. Step by Step. They are mandatory as well.
A
Procedures.
20
Q
Define the technical aspects of a security program, including any hardware and software that is required.
A
Standards.
21
Q
Provide a minimum level of security that a company’s employees and systems must meet.
A
Baselines.
22
Q
Which documents are mandatory and which are discretionary?
A
Policies, Procedures, and Standards = Mandatory.
Guidelines and Baselines = Discretionary.
23
Q
A guidelines you should not follow when creating a security policy?
A
Ensure that the policy is as comprehensive as possible.
Instead, you should keep the policy to two or three pages. The policy should be concise and as understandable as possible.
24
Q
Sometimes called the information owner or the business owner, is responsible for classifying data. Typically a manager who maintains responsibility for the security of a particular information asset. They also assigned sensitivity labels to each asset (sensitivity label ensures that the data is accessible only be users who posses the appropriate level of clearance).
A
Data owner.
25
Responsible for the hands-on protection of data.
Data custodian.
26
Responsible for protecting the data that they access on a daily basis.
End users.
27
Eliminates the use of a technology or a service altogether rather than deal with the risks that are incurred by implementing the technology or service. Should be performed whenever the costs of mitigating or accepting the risk are higher than the benefits gained by providing the service.
Risk avoidance.
28
Lowers the chance that a risk event occurs or lowers the damage that a risk event causes.
Risk mitigation.
29
Occurs when a company chooses to leave an asset unprotected rather than undergo the time and expense to protect the asset. Should be performed only when the risk or the consequences of exposure are low.
Risk acceptance.
30
What is AV, EF, ARO, SLE, and ALE
AV - the value of the asset that is at risk, including any data stored on the asset.
EF - is the percentage of value that is lost when a risk event occurs. For example: Failure only? 10% Theft? 100%.
ARO - the frequency at which a risk event occurs and is expressed as the number of losses that occur in one year. For example (1 failure divided by 5 years = 0.2 failures per year)
SLE - the cost of a loss, including the cost of materials, the technical service hours required, and loss productivity that is experienced because of the loss.
ALE - average yearly cost of a particular risk. For example ($1,200 "SLE" x 0.25 "ARO" = $300 ALE).
31
Tricking an individual into revealing authentication credentials or other PII to a potential attacker.
Social engineering.
32
Installing software that is known to have vulnerabilities is what example of risk responses.
Risk acceptance.
33
Is the practice of contracting with a third party in another country to perform a business function or service.
For example: a healthcare provider who offshores the storage of medical imaging files? ensure the foreign company will take proper steps to protect the data. If not, healthcare provider will be liable. U.S laws does not apply to companies located in other countries.
Offshoring.
34
Practice of contracting with a third party to perform business function or service. (this can be performed within the country). Subject to the U.S laws and regulations (U.S and foreign companies).
Outsourcing.
35
Allowing a business function or service to be performed by employees within the company rather than by a third party.
Insourcing.
36
Third-party contractors outsource work that was originally assigned to them.
Subcontracting.
37
A healthcare company is hiring you as an ISO. You will be tasked with securing the company's networks and workstations. Which individuals or departments would you be least likely to report?
The internal audit department. Why? they're tasked with evaluating how the company's employees are handling business processes, including IT security. Conflict of Interest.
38
Which of the following situations would be most likely to delete a user account?
termination of an employee who is starting a new job the next day.
Why? user accounts should be deleted only if the user is unlikely to return to the company and the user's account is not tied to data that cannot be easily accessed by another user account, such as encrypted information.
39
A connection attempt by a malicious program on the network and can propagate without user interaction is called?
Worm.
40
A stream of MAC addresses being sent to a switch on a network and attempt to overload the ARP (is a network protocol that maps IP addresses to MAC addresses) cache of a switch, which could induce the switch to act as a hub by broadcasting information out each port is called?
MAC flooding attack.
41
An attacker intercepting transmissions between two target hosts. And the flow of traffic between the target hosts is typically routed through a device that the attacker controls is known as?
Man-in-the-middle attack.
42
Is an intellectual property attack in which an entity registers an internet domain name that is a common misspelling of or is closely related to another entity's trademark.
Example: legitimate (example.com), typosquatter might register (exampel.com).
Typosquatting.
43
Is an intellectual property attack that focuses on infringement of a trademark. Occurs when an entity registers an internet domain name that infringes on a different entity's trademark.
For example: well-known company with a trademark for "ExampleBrand", a cybersquatter might purchase the domain 'examplebrand.com' before the company has a chance to register it. Then the squatter might sell that to the company for an inflated price, or might use the domain to create a website that capitalizes on the trademarked name's popularity for their own benefit.
Cybersquatting.
44
An industry standard that an entity in a particular industry should strive to meet or exceed.
Best practice.
45
Best described as business practices that a reasonable individual would consider appropriate.
It's a legal liability concept that defines the minimum level of information protection that an organization must achieve.
Prudent Man Rule or Due Care.
Tip: the Prudent Man Rule is often applied to the process of due care, which is a legal liability concept that defines the minimum level of information protection that a business must achieve.
46
An organization to continually review its practices to ensure that protection requirements are met.
Due diligence.
47
Occurs when an individual who was already planning to commit a crime is eventually lured into doing so at the urging of law enforcement.
Enticement.
48
Justification for the seizure of evidence without a warrant in order to protect the evidence from being destroyed.
Exigent circumstances.
49
Is an aggregated threat-modeling methodology that was developed by Microsoft.
STRIDE
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of Privilege
50
Is a risk-based threat modeling methodology that contains the following seven stages.
Process for Attack Simulation and Threat Analysis (PASTA).
Stage I: Definition of the Objectives (DO) for the Analysis of Risks.
Stage II: Definition of the Technical Scope (DTS).
Stage III: Application Decomposition and Analysis (ADA).
Stage IV: Threat Analysis (TA).
Stage V: Weakness and Vulnerability Analysis (WVA)
Stage VI: Attack Modeling & Simulation (AMS)
Stage VII: Risk Analysis & Management (RAM).
51
Is a risk-based threat-modeling methodology that allows security audits to be performed consistently, reliably, and repeatably. And an acceptable of risk is assigned to each class of asset; these risk levels are then used to determine the appropriate response to each threat.
Trike.
52
Is a classification methodology that is used to rank threats numerically. And is used to calculate a risk score based on the following five categories.
DREAD.
Damage: how much damage will be caused?
- 0 = no damage
- 10 = complete destruction
Reproducibility: How easy is it to reproduce?
- 0 = impossible
- 10 = easy and without authentication
Exploitability: What is needed to exploit the threat?
- 0 = advanced knowledge and tools
- 10 = a web browser
Affected Users: How many users will be affected?
- 0 = none
- 10 = all
Discoverability: How easy is it to discover the threat?
- 0 = nearly impossible and source code or administrator access is required
- 10 = visible in a web browser address bar or in a form
The sum of the five ratings is then divided by 5 to calculate a final risk score from 0 through 10. The higher the risk score, the greater the risk.
53
Maintains a variety of projects that provide assistance in detecting and addressing security vulnerabilities.
Open Web Application Security Project (OWASP).
54
OWASP 2017. Top 10.
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring
55
Occurs when a malicious user is able to inject code into the webpage of a legitimate company or user.
XSS.
56
Includes flaws in authentication and session management systems that enable attackers to compromise passwords, encryption keys, or session tokens.
Broken Authentication.
57
Enables an attacker to send information to a target system that could reveal sensitive information.
Injection.
Examples: SQL Injections, OS injections, LDAP injections.
58
Best described as a set of mandatory directives that employees must follow, providing the basic framework upon which a company's security program is based.
Security policy.
59
Should not be included in the security policy? And these should be included in a standards document.
The hardware and software that must be used.
60
What is Risk, Threat, Vulnerability, Impact, and exploit?
Risk - potential for loss or damage when a threat exploits a vulnerability.
Threat - anything that has the potential to cause harm by exploiting a vulnerability (something that could cause harm to the asset).
Vulnerability - weakness or gap in security that can be exploited by a threat to gain unauthorized access to an asset (the asset's weakness to a particular threat).
Impact - potential consequences or damage that could result from a threat exploiting a vulnerability (the cost realized by the company if the asset is lost).
Exploit - method or technique used to take advantage of a vulnerability in a system.
Risk = Threat x Vulnerability x Impact
61
What are the Seven categories of access controls?
Directive
Deterrent
Preventive
Compensating
Detective
Corrective
Recovery
62
Used to define appropriate use and behavior within an organization with regard to that organization's systems and services.
Directive access controls.
63
Used to dissuade (persuade someone not to take a particular course of action) potential attacks
Deterrent access controls.
64
Used to stop potential attacks by preventing users from performing specific actions of functions on a system.
Preventive access controls.
For example, installing a firewall that blocks access to specific network ports.
65
Are used to supplement directive access controls.
Compensating access controls.
Reviewing log files for violations of a company policy is a compensating access control, not a preventive access control.
66
Used to monitor or send alerts about malicious activity. And it can also record activity in low-light conditions.
Detective access controls.
Implementing an alarm system that detects breaking glass is a detective access control, not a preventive access control.
67
Used to repair damage caused by malicious events.
Corrective access controls.
68
Used to restore a system to a normal state after malicious activity has occurred.
Recovery access controls.
If a computer virus has corrupted some important data files on the Accounting department's server and you are unable to locate any antivirus software that will repair the damage.
69
What are the access control types?
Physical - is implemented by using a person, animal, or object.
Technical - implemented by using technology instead of a physical entity.
Administrative - implemented by using policies, procedures, and the assignment of roles within an organization instead of a physical entity or technical control.
70
Is an access control threat that involves modifying source data in an internet protocol (IP) packet. Also known as masquerading, enables an attacker to compromise a network by pretending to be a trusted source.
Spoofing.
71
Are an access control vulnerability that involves the theft of information by capturing and analyzing the electromagnetic leakage of electronic devices.
Emanations.
72
Involves gleaning valuable information from printed documents. It's a physical information-gathering technique whereby an attacker sifts through an organization's garbage to find valuable information that might have been thrown away.
Dumpster diving.
73
Involves the collection and analysis of large amounts of data to find patterns.
Data mining.
74
Is a threat in which fragments of deleted data can be recovered from a storage device.
Data remanence.
75
Is a threat that typically involves the collection of information that an application or process has shared in memory or cached to disk.
Object reuse.
Also, authentication credentials that are not properly erased from memory can be used to authenticate an unauthorized user or another application or process.
76
Requirements for an analyst who is performing a vulnerability assessment?
- Examination of existing access controls on the systems to be analyzed.
- A knowledge of potential threats to the systems to be analyzed.
- An understanding of the systems to be analyzed.
77
Occurs when an assessment identifies a business requirement as a vulnerability. And If a potential vulnerability in a system conflicts with the business purpose of that system.
False positive.
78
Account for all personnel after an evacuation.
Meeting point leader.
79
Responsible for ensuring that everyone safely evacuates the building.
Safety warden.
80
A reason to NOT implement rotation of duties (job rotation)?
It can be expensive to implement. Because of the number of employees that must be hired and trained to perform the duties.
rotation of duties (job rotation) is an access control principle that does not allow one user to perform the same function for more than one consecutive interval of time.
81
The contracts typically state that the employee will not disclose confidential information that is revealed to the employee as a result of his or her duties.
NDA.
82
Is the intellectual property concept that is most associated with marketing. And is typically protect branding, such as a slogan, a logo, or another means of creating a distinction between a product that is produced by one company and a similar product that is produced by a competitor.
Trademark.
83
Is an intellectual property concepts that protects the holder's exclusive right to use, create, or sell an invention.
Parent.
84
Is an intellectual property concept that protects art, music, literature, or source code created by an individual or an organization.
Copyright.
85
Is an intellectual property concept that enables a copyright owner to grant a specific uses of copyrighted material to others.
License.
86
Is most likely to be subject to legal export restrictions in the U.S?
Source code for a new cryptographic application.
Because cryptography can be used to prevent government law enforcement agencies from intercepting communications, the U.S and other countries have imposed export restrictions on specific type of strong cryptography.
87
Is an information sharing agreement that requires a user to act in order to prevent an entity from sharing that user's information?
Opt-out agreement.
88
Is NOT an information sharing agreement that requires a user to act in order to prevent an entity from sharing that user's information.
Instead, it's an information sharing agreement that prevents an entity from sharing a user's information by default.
Requires the organization to obtain user's permission to share that user's PII with third parties.
Opt-in agreement.
89
Is a form of software license. For example, software licenses typically specify what users are and are not allowed to with software once the software has been licensed to the user.
End-user license agreement (EULA).
90
Was created by the U.S Dept of Commerce and EU Commission to enable companies in the U.S to process personal information of individuals in EU member nations.
EU-US. Privacy Shield Framework.
91
Ensures the protection of information for individuals in EU member nations. The EU requires that all organizations must adhere to this ____ whether or not they are based in the EU.
General data protection regulation (GDPR).
92
GDPR contains the following provisions:
1. Companies must inform authorities of major data breaches within 72 hours
2. Each EU member nation must create a centralized data protection authority.
3. Individuals must have access to their own data.
4. Information regarding an individual must be transferrable to another service provider at the individual's request.
5. Individuals retain the "right to be forgotten" and have their information deleted if it is no longer required.
6. Organizations located outside the EU must adhere to the GDPR if they collect information about EU residents.
93
Was created in 1980 to provide a framework for how information traverses international borders.
Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
Principles:
1. Collection Limitation Principle
2. Data Quality Principle
3. Purpose Specification Principle
4. Use Limitation Principle
5. Security Safeguards Principle
6. Opennes Principle
7. Individual Participation Principle
8. Accountability Principle
94
Was created in December of 1974 to govern the way federal agencies use and distribute the personal information of U.S citizens. And it states that federal agencies cannot disseminate personal information without the permission of the individual.
U.S Privacy Act of 1974.
95
Was created in 2000 by the Parliament of Canada to govern how private organizations can collect, use, and disclose personal information. Does not apply to government agencies and not-for-profit organizations.
The Personal Information Protection and Electronic Documents Act (PIPEDA).
Principles:
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
96
Also known as Title 18, was created in 1984 to aid the deterring and the prosecution of computer crimes that resulted in attacks on government systems, infrastructure, financial systems, or systems that engage in international or interstate commerce.
The U.S Computer Fraud and Abuse Act.
97
Designed to protect electronic communications, such as internet traffic, from illegal wiretapping techniques.
The U.S Electronic Communications Privacy Act (ECPA).
98
Is a counter-terrorism act that expanded the ability of U.S law enforcement to use electronic monitoring techniques with less judicial oversight. In addition, the ability of law enforcement to wiretap was expanded and required less oversight.
The USA Patriot Act of 2001
99
What are Host site, Warm site, Cold site, and Mobile site?
Hot sites (a location that can take over for a failed site) - fully configured. Contain all of the equipment and services required by the company. Company can transition to a hot site within minutes or hours.
Warm sites (providing some level of infrastructure to aid disaster recovery) - more expensive than cold sites. Typically contain equipment and data circuits but no data. Can be brought online faster than a cold site can, typically within one to three days.
Cold sites - takes the longest amount of time. Provides an alternate data center location but contains no technology; all of the hardware and software must be purchased after the disaster occurs. Typically require several days or weeks.
Mobile sites - typically trailers or temporary buildings that can be deployed to other locations.
100
Facts about mutual assistance agreement (MAA).
- also known as a backup-site agreement or reciprocal agreement, is a legal arrangement between two organizations in which the parties agree to aid one another by providing space and network resources in the event that a disaster renders one of the parties incapable of functioning at its own location.
- Cost effective than other alternate site solutions.
- Should require that the organizations be in close proximity to each other in order to reduce downtime for the disaster-affected company.
101
Prevent an employee from violating a noncompete agreement (NCA)?
Time and Cost of a court battle.
Why? court battles are cost and time consuming. Therefore, it might be in an employee's best interests to abide by an NCA rather than take the matter to the legal system.
102
The total of owning an asset for a period of time, including the cost of the asset as well as the cost of mitigating any risks to the asset. Also risk mitigation costs might include vendor support contracts, software purchases, and IT employee salaries.
Total Cost of Ownership (TCO).
For example, the TCO for 100 laptops over a two-year period might be calculated as shown below:
Laptops: $240,000
Extended warranty service: $57,000
Operating system (OS) upgrade: $22,000
Antivirus software: $8,000
IT employee salaries: $120,000
TCO: $447,000 ($4,470 per laptop)
103
Is the process of assigning a user's rights and permissions to a system?
Authorization.
104
Is the process of providing proof that an authorized user's identification is accurate. For example, an attacker masquerades as an authorized user to gain access to data.
Authentication.
105
Your company's password policy instructs employees to use strong passwords. However, you have discovered that many employees are still using weak passwords. What will you do NEXT?
Review the password policy with each user who has a weak password.
106
Describes how company resources can be used, not how passwords should be selected.
Acceptable use policy.
107
Is a technology that displays a name, number, or other identifier on the receiving end of a call. And enables the receiver to know the identity of a caller prior to accepting the call?
Caller ID.
108
Enables callers to trick receivers into answering calls from vishing and Spam over internet Telephony (SPIT) agents.
Caller ID spoofing attack.
109
An attacker attempts to inject packets into other VALNs by accessing the VLAN trunk and double-tagging 802.1Q frames.
VLAN hopping attack.
110
Is used to obtain sensitive information by sending SMS text messages or instant messages. The messages will typically direct users to visit fake websites or to call a phone number and enter their personal information, such as SSN or credit card information.
Smishing or Short Message Service (SMS) phishing.
111
The ISC2 Code of Ethics contains a preamble and the following four canons ranked in order of importance:
1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorable, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.
112
Requires a security professional to abstain from spreading FUD. FUD is a term that is used to describe the dissemination of negative, false, and frightening information to influence consumers, politicians, or other individuals to act in a certain way. Spreading FUD would erode public trust and confidence.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
113
An attacker targets a specific group of users by infecting a website they are likely to visit. The website can be an existing site that the attacker infects, or it can be a website that the attacker creates. The attacker will then convince users to visit the infected site. The users are specifically targeted as part of a company, an organization, a religious group, or residents of a particular location.
Watering hole attack.
114
Legitimate applications that are installed on a device get replaced by malware that appears to be legitimate.
Agent Smith attack.
115
An attacker tricks users into clicking a transparent image that is placed over a legitimate link. Also called a user interface (UI) redress attack. And typically wrap a trusted page in an inline frame or iframe. Transparent elements are placed on top of clickable graphics or fields. When the user clicks on something that has a transparent element on top of it, the attacker will launch, potentially sending credentials to the attacker or redirecting the user to a malware-infected site.
Malvertising attack.
116
Load balancing between nodes. Is a storage solution in which client workloads are distributed among two identical nodes. This configuration ensures availability by providing data redundancy and reducing the likelihood that a single device will become overwhelmed. Also helps mitigate data loss if one of the devices in the cluster becomes unavailable.
active-active cluster.
117
Best describe as enabling transfer from local infrastructure to the cloud. It's more effective for organization that use a private cloud in combination with configuration management mechanisms like Puppet (is a tool for applying and managing system configurations). The combination of these tools can allow an organization to temporarily reprovision its private cloud applications and data to a third-party cloud provider's infrastructure.
Cloud-bursting or Cloud-hopping.
118
Is a set of core concepts that define the three goals of a security initiative.
The CIA Triad.
Confidentiality - protect confidential information from exposure to unauthorized people.
Integrity - protect systems and information against compromise by unauthorized modification.
Availability - protect systems against unplanned downtime as a result of security breaches.
119
Is a component of access control in which a user claims to be an authorized user of a particular system?
Identification.
120
Typically the most tangible type of evidence because it includes physical objects.
Real evidence.
121
Evidence that includes copies or oral descriptions of original documents.
Secondary evidence.
122
Evidence that can support a fact that was established by other evidence but cannot by itself establish that fact.
Corroborative evidence.
123
Typically includes descriptions and accounts of the facts of an event by eyewitnesses to the even in question.
Direct evidence.
124
is evidence that can indirectly establish a fact but cannot be used to directly establish that fact.
Circumstantial evidence.
125
Is the process of ensuring that each supplier in the chain is reliable, trustworthy, and reputable?
Supply chain risk management (SCRM).
126
Is a process in which an entity's security documentation is analyzed and evaluated for compliance with standards?
Documentation review.
127
What are Civil, Criminal, Administrative, Regulatory Investigations.
Civil investigations - attempt to resolve disputes between two parties, such as private individuals or corporate entities. Preponderance of evidence standard of proof.
Criminal investigations - typically conducted by law enforcement personnel and attempt to determine whether a criminal law has been violated. Beyond a reasonable doubt standard of proof.
Regulatory investigations - determine whether an administrative law or industry standard has been violated. For example, a third-party auditor investigating the adherence of a business to an industry standard is an example of a regulatory investigation.
Administrative investigations - are internal investigations that attempt to determine whether organizational policies or operational procedures have been violated.
128
Is a factor that is typically used in a risk matrix to rank threats?
Probability.
129
Typically uses a simple, three-value rating system to describe the probability and damage level for each threat. Common rating values are high/medium/low, 1/2/3, or green/yellow/red.
Risk matrix.
