Domain 5:Explain elements of the risk management process

Question 1

Threat

Answer 1

A threat is someone or something that wants to inflict loss on a company by exploiting vulnerabilities. In the preceding example, it’s the person who takes the gold. In IT security, it could be a hacker that wants to steal a company’s data.

Question 2

Risk

Answer 2

The risk is the probability that an event will occur that results in financial loss or loss of service. In the preceding example, the probability that the trash or gold would be taken. In IT security, it is the probability your system could be hacked or data stolen.

Question 3

Vulnerability

Answer 3

This is a weakness that helps an attacker exploit a system. In the preceding example, it is the fact that outside your front door is not a secured area. In IT security, it could be a weakness in a software package or a misconfiguration of a firewall.

Question 4

Ad hoc risk assessment:

Answer 4

Ad hoc assessments are sporadic and arise in response to specific events or perceived threats. This type of assessment is tailored to focus on the immediate dangers and is characterized by its flexibility and swift implementation.

Question 5

Risk assesment

Answer 5

Risk assessment is a systematic and structured process where the organization identifies, analyzes, and evaluates risks associated with potential threats and vulnerabilities in order to make informed decisions and prioritize resource allocation effectively

Question 6

Recurring Assesments

Answer 6

Recurring assessments are routine and scheduled to occur at predetermined intervals. This approach ensures that the organization’s security posture is regularly monitored, evolving threats are detected, and changes in the environment or operations are addressed. Regularly scheduled assessments enable organizations to stay vigilant and maintain an updated understanding of their risk profile, fostering a proactive security culture.

Question 7

One-Time assessments

Answer 7

One-time assessments are conducted for specific scenarios or projects, often at the inception of a new venture, system implementation, or organizational change. This approach provides a detailed one-time view of the risks associated with a particular endeavor

Question 8

Continuous risk assessment

Answer 8

Continuous risk assessment goes above and beyond the periodic nature of recurring assessments, characterized by real-time monitoring and the analysis of risks. This dynamic approach integrates risk assessment seamlessly into the organization’s daily operations, allowing for instantaneous detection and response to threats as they arise. Continuous assessment is vital in today’s fast-paced and dynamic threat landscape as it empowers organizations to stay a step ahead of potential security breaches

Question 9

Risk analysis

Answer 9

Risk analysis is a pivotal process for identifying and managing potential risks that could impact an organization adversely.

Question 10

Qualitative Analysis

Answer 10

Qualitative risk analysis uses subjective judgment to categorize risks as high, medium, or low, focusing on the potential impact, such as the likelihood of occurrence

Question 11

Quantitative risk analysis,

Answer 11

Quantitative risk analysis, on the other hand, assigns numerical values to risks identified as high in qualitative analysis. It quantifies and creates a precise measurement of the probability and the impact of risks, helping to determine the potential cost and formulate data-driven mitigation strategies

Question 12

Single Loss Expectancy (SLE):

Answer 12

SLE represents the monetary value of the loss of a single item. Losing a laptop worth $1,000 while traveling, for instance, implies an SLE of $1,000.

Question 13

Annualized Rate of Occurrence (ARO)

Answer 13

ARO refers to the number of items lost annually. For example, if an IT team experiences the loss of six laptops in a year, the ARO is 6.

Question 14

Annualized Loss Expectancy (ALE):

Answer 14

This is calculated by taking the SLE and multiplying it by the ARO and represents the total expected loss per year, providing a foundation for insurance and risk management decisions.

Question 15

Probability

Answer 15

Probability is a fundamental concept in risk analysis that describes the chance of a specific event occurring. It is quantified as a number between 0 and 10; the closer the number is to 10, the higher the probability that the event will occur.

Question 16

Likelihood

Answer 16

: Likelihood is synonymous with probability in risk analysis, representing the possibility of a risk materializing. It is often expressed in qualitative terms, such as high, medium, or low, providing an intuitive grasp of the risk’s occurrence.

Question 17

Exposure Factor

Answer 17

): EF is a measure of the magnitude of loss or damage that can be expected if a risk event occurs. It is represented as a percentage, reflecting the portion of an asset’s value likely to be affected. By determining the EF, organizations can assess the extent of damage a specific risk can inflict to produce more accurate risk valuations.

Question 18

Impact

Answer 18

Impact is the consequence or the effect that a risk event has on an organization or a specific asset

Question 19

Effective impact

Answer 19

Impact x Probability x Exposure factor

Question 20

Risk register

Answer 20

A risk register is a crucial document in risk management processes that provides a detailed log of risks identified during a risk assessment

Question 21

Risk owners

Answer 21

A risk owner is an individual or team assigned the task of risk management.

Question 22

key risk indicator (KRI)

Answer 22

is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization’s risk appetite and have a profoundly negative impact on an organization’s ability to be successful.

Question 23

Risk threshold

Answer 23

The risk threshold represents the level of risk that an organization is willing to accept or tolerate

Question 24

Risk tolerance

Answer 24

Risk tolerance is the organization’s personalized threshold for embracing the unknown.

Question 25

Expansionary risk appetite

Answer 25

Organizations with an expansionary risk appetite typically embrace higher levels of risk in an effort to foster innovation and gain a competitive edge. These organizations often prioritize growth and expansion and seek higher returns and market shares over stringent security protocols, potentially exposing them to a spectrum of threats

Question 26

Conservative risk appetite

Answer 26

In contrast to those with expansionary appetites, organizations with a conservative risk appetite prioritize security and risk mitigation over aggressive growth strategies. They have a carefully planned security control approach to risk management and often reject opportunities that are deemed too risky.

Question 27

Neutral risk appetite:

Answer 27

Organizations with a neutral risk appetite strike a balance between expansionary and conservative approaches. They assess each opportunity on a case-by-case basis, accepting only risks that are manageable and align with their strategic objectives

Question 28

Risk transference

Answer 28

: In this approach, significant risks are allocated to a third party, often through insurance or outsourcing your IT systems. For example, companies recognizing the potential damages from a road traffic accident will purchase car insurance to transfer the financial risk to the insurer. Similarly, businesses are increasingly adopting cybersecurity insurance to cover potential financial losses, legal fees, and investigation costs stemming from

Question 29

Risk acceptance:

Answer 29

Risk acceptance is the acknowledgment of a specific risk and the deliberate decision not to act to mitigate against the risk as it is deemed too low.

Question 30

Risk avoidance

Answer 30

When the identified risk is too substantial, a decision may be made to abstain from the risky activity altogether. A practical example is an individual deciding not to jump from a considerable height without safety measures, due to the extreme risk involved.

Question 31

Risk Mitigation

Answer 31

Risk mitigation is a comprehensive strategy wherein identified risks are analyzed to determine their potential impacts, and suitable measures are employed to reduce the risk levels

Question 32

Risk Reporting

Answer 32

Risk reporting is the process of systematically gathering, analyzing, and presenting information about risks within an organization.

Question 33

Informed decision-making

Answer 33

Risk reports provide decision-makers with timely and relevant information about potential risks. Armed with this knowledge, they can make informed decisions that minimize negative impacts and maximize opportunities.

Question 34

Stakeholder confidence

Answer 34

Effective risk reporting enhances stakeholder confidence. Investors, customers, and partners are more likely to trust organizations that transparently disclose their risk management strategies and outcomes.

Question 35

Business Impact Analysis

Answer 35

BIA is carried out by an auditor with the objective of identifying a single point of failure. The auditor checks for any component whose failure would significantly impair or halt a company’s operations.

Question 36

Recovery Point Objective (RPO):

Answer 36

the Recovery Point Objective (RPO) as closely as possible. The RPO is the amount of time a company can operate without its systems.

Question 37

Recovery Time Objective

Answer 37

The RTO is the time when a business aims to restore its operations to an operational level after a disruption

Question 38

Mean time to repair

Answer 38

MTTR signifies the average duration needed to restore a malfunctioned system to its optimal operating condition. For instance, if a vehicle experiences a breakdown at 2:00 P.M. and its repair is completed by 4:00 P.M., this yields an MTTR of two hours, denoting a relatively swift resolution.

Question 39

Mean Time Between Failures (MTBF)

Answer 39

: MTBF stands as a paramount metric in evaluating and enhancing the reliability of systems and components. It provides insights into the average time a system or component operates without failure. It acts as a critical indicator of the inherent reliability and endurance of equipment or systems, providing a foundational basis for predictive maintenance and system optimization.

Question 40

Raid 0

Answer 40

• Description: Splits (stripes) data evenly across two or more disks without redundancy.
• Advantages:
• High read and write performance.
• Disadvantages:
• No fault tolerance. If one disk fails, all data is lost.
• Use Case: High-performance applications where data loss is not critical.

Question 41

Evidence must be captured in following order

Answer 41

Evidence must be captured in the following order:

CPU cache: This fast but volatile memory is used by the CPU and can provide critical insights.
Random Access Memory (RAM): Volatile memory running applications holds valuable information.
Swap/page file/virtual memory: This is when RAM is exhausted, these are areas of a hard drive used instead of RAM, but much slower.
Hard drive: Data at rest is the least volatile and is captured after volatile memory. This is where data is saved to the hard drive.

Question 42

Stages of the Cyber Kill Chain

Answer 42

Stages of the Cyber Kill Chain

Reconnaissance

Calling employees, sending emails, social engineering, dumpster diving

Weaponization

Create malware payload

Delivery

Delivery medium, such as USB, email, web page

Exploitation

Executing code via a vulnerability

Installation

Installing malware on the asset

Command and Control

Infected system sends back information to the attacker

Action on Objectives

Hands-on keyboard—attack complete

Question 43

Diamond Model

Answer 43

Adversary: This is the threat actor group. The MITRE ATT&CK framework can be used to identify who they are and what attacks they use.
Capabilities: This refers to the exploit an adversary develops to carry out their attack. These are also laid out in the MITRE ATT&CK model.
Infrastructure: This is the path or means by which the attacker can get to the victim. This could be via USB, email, IP address, or remote access.
Victim: This is the person targeted by the adversary.

Question 44

Effectivie Impact

Answer 44

Effective impact = Impact x Probability x Exposure factor