Domain 1: Security and Risk Management; Risk Analysis

Question 1

Why is Risk Analysis a critical skill?

Answer 1

Our risk decisions will dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions will result in wasted money, or even worse, compromised data.

Question 2

What are assets?

Answer 2

Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth. The value and criticality of the asset will dictate what safeguards you deploy. People are your most valuable asset.

Question 3

What is a threat?

Answer 3

A threat is a potentially harmful occurence. A threat is a negative action that may harm a system.

Question 4

What is a vulnerability?

Answer 4

A vulnerability is a weakness that allows a threat to cause harm. Examples: Buildings that are not built to withstand earthquakes, a data center without proper backup power, Microsoft XP systems that haven’t been patched for years.

Question 5

What is an attack vector?

Answer 5

A condition that makes a system vulnerable.

Question 6

How do you calculate risk?

Answer 6

Risk = Threat x vulnerability.

Question 7

What is impact?

Answer 7

Impact is the severity of the damage, sometimes expressed in dollars. Risk = Threat x Vulnerability x Cost. A synonym for impact is consequences.

Question 8

On a scale of 1 to 5, what is the impact value of loss of human life?

Answer 8

Loss of human life has near-infinite impact on the exam. Any risk involving loss of human life is extremely high and must be mitigated.

Question 9

True or false? When assigning a number to threats and vulnerabilities, the range is arbitrary. Keep it consistent when comparing different risk.

Answer 9

True.

Question 10

What is the Risk Analysis Matrix?

Answer 10

The Risk Analysis Matrix uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have. The resulting scores are low, medium, high, and extremely high.

Question 11

What is the goal of the Risk Analysis Matrix?

Answer 11

To identify high likelihood/high consequence risks and drive them down to low likelihood/low consequence risks.

Question 12

How are risks handled?

Answer 12

Low risks are handled via normal process; moderate risk require management notification; high risks require senior management notification, and extreme risks require immediate action including a detailed mitigation plan (and senior management notification).

Question 13

What is ALE?

Answer 13

Annualized Loss Expectancy. Allows you to determine the annual cost of a loss due to a risk. ALE allows you to make informed decisions to mitigate risk.

Question 14

What is AV?

Answer 14

Asset Value. The value of the asset you’re trying to protect.

Question 15

What is the true Asset Value of a laptop with PII?

Answer 15

The cost of the laptop plus the cost to the company from the theft of unencrypted PII.

Question 16

What is the cost to the company for theft of unencrypted PII?

Answer 16

Regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc.

Question 17

What are tangible assets? Is it easy to calculate their value?

Answer 17

Examples of tangible assets are buildings and computers. They are easy to calculate.

Question 18

What are intangible assets? Is it easy to calculate their value?

Answer 18

An example would be brand loyalty. It’s challenging to calculate the value.

Question 19

What are the three methods of calculating the value of intangible assets according to Deloitte?

Answer 19

Market approach.
Income approach.
Cost approach.

Question 20

What is Market Approach?

Answer 20

This approach assumes that fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar circumstances.

Question 21

What is Income Approach?

Answer 21

This approach is based on the premise that the value of an asset is the present value of the future earning capacity that an asset will generate over its remaining useful life.

Question 22

What is Cost Approach?

Answer 22

This approach estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset.

Question 23

What is EF (Exposure Factor)?

Answer 23

The Exposure Factor is the percentage of value an asset lost due to an incident.

Question 24

What is SLE (Single Loss Expectancy)?

Answer 24

Single Loss Expectancy is the cost of a single loss. SLE is calculated by AV x EF.

Question 25

What is ARO (Annual Rate of Occurence)?

Answer 25

Annual Rate of Occurence is the number of losses you suffer per year.

Question 26

What is ALE (Annualized Loss Expectancy)?

Answer 26

Annualized Loss Expectancy is your yearly cost due to a risk. It is calculated by multiplying the SLE with ARO.

Question 27

What is TCO (Total Cost of Ownership)?

Answer 27

The total cost of a mitigating safeguard. TCO combines upfront costs plus annual cost of maintenance, including staff hours, vendor maintenance fees, software subscriptions, etc. These ongoing costs are usually considered operational expenses.

Question 28

What is ROI (Return on Investment)?

Answer 28

The amount of money saved by implementing a safeguard. If your TCO is less than your ALE, then you have a positive ROI. If your TCO is greater than your ALE, then you have a negative ROI, which is a result or poor choices.

Question 29

Why are metrics important?

Answer 29

Metrics can greatly assist the information security budgeting process. They help illustrate potentially costly risks, and demonstrate the effectiveness (and potential cost savings) of existing controls. They also help champion the cause of information security.

Question 30

What are the four risk choices after an assessment has been made?

Answer 30

Accept the risk.
Mitigate or eliminate the risk.
Transfer the risk.
Avoid the risk.

Question 31

When does it make sense to accept a risk?

Answer 31

When it’s cheaper to leave an asset unprotected due to a specific risk, rather than make the effor (and spend the money) required to protect it. All options must be considered before accepting a risk.

Question 32

When is accepting a risk not an option?

Answer 32

High and extremely high risks cannot be accepted. Data protected by laws or regulations or risk to human life or safety are cases where accepting the risk is not an option.

Question 33

What is mitigating risk?

Answer 33

Mitigating risk is lowering risk to an acceptable level. Also called risk reduction.

Question 34

What is reduction analysis?

Answer 34

The process of lowering risk.

Question 35

What is eliminating risk?

Answer 35

Removing the risk entirely.

Question 36

What is transfer the risk?

Answer 36

Using a third party to accept the risk.

Question 37

What is risk avoidance?

Answer 37

After a risk assessment is made, if the ALE is higher than the ROI, then it’s best to avoid the risk and not implement what was proposed. Exceptions to this is if there are legal or regulatory reasons that dictates this decision.

Question 38

What is the difference between Quantitative and Qualitative Risk Analysis?

Answer 38

Quantitative uses hard metrics such as dollars. Qualitative uses simple approximate values. Quantitative is more objective. Qualitative is more subjective.

Question 39

What is Hybrid Risk Analysis?

Answer 39

Combines quantitative and qualitative analysis. Quantitative for risks that are easily calculated in hard numbers, and qualitative for the remainder.

Question 40

What is an example of Quantitative Risk Analysis?

Answer 40

Calculating the ALE.

Question 41

What is an example of Qualitative Risk Analysis?

Answer 41

The Risk Analysis Matrix.

Question 42

Why is Quantitative Risk Analysis more difficult to calculate?

Answer 42

It requires you to calculate the asset value of everything vulnerable to the risk. Damage to a data center due to an earthquake requires knowing the cost of the building, servers, network equipment, computer racks, monitors, etc. Then you have to calculate the Exposure Factor, and so on. To qualitatively analyze a risk, you would research and risk and agree to a number value (1-5) of the likelihood and consequence and use the Risk Analysis Matrix to determine the risk value.

Question 43

The NIST (United States National Institute of Standards and Technology) published the Risk Management Guide for Information Technology Systems. The guide describes what 9-step Risk Analysis process?

Answer 43

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommmendations
9. Results Documentation

Question 44

According to the Risk Management Guide for Information Technology Systems, what is System Characterization?

Answer 44

System characterization describes the scope of the risk management effort and the systems that will be analyzed.

Question 45

According to the Risk Management Guide for Information Technology Systems, what is Control Analysis?

Answer 45

Analyzes the security controls (safeguards) that are in place or planned to mitigate the risk.

Question 46

According to the Risk Management Guide for Information Technology Systems, what is Control Recommendations?

Answer 46

Risk mitigation strategy.

Question 47

According to the Risk Management Guide for Information Technology Systems, what is Results Documentation.

Answer 47

The risk mitigation strategy is documented in this step.