L10 - Risk Analysis and Information Security Strategy Flashcards
What is risk management?
The main goal is to develop and implement information security strategies, which in turn reduce the risk to an acceptable level.
What is risk analysis?
The process by which the goals of risk management are acheived.
How does risk analysis work?
It:
* Examines an environment for risks
* evaluate how likely a threat event is to occur
* evaluate the cost to assets if the thread were to occur
* assessing the cost of various countermeasures for each risk
* Create a cost/benefit report for safeguard to present to management.
Risk terminology
What is an asset?
It’s a system resource or cability of value to it’s owner which should be protected.
Risk terminology
What is asset valuation?
The monetary value of an asset based on the actual cost (e.g replacement cost) and nonmonetary expense.
Risk terminology
What is a threat?
a potential threat source to exploit a vulnerability in an asset, in turn if it occurs it may compromise security of said asset and cause its owner harm.
Risk terminology
What is vulnerability?
A flaw or a weakness in an asset, it could be in it’s design, implementation, operation or management.
Risk terminology
What is exposure?
It’s how likely it is that a vulnerability can or will be exploited by a threat agent or event.
Risk terminology
What is risk?
It’s the potential loss a owner would suffer due to a threat exploiting a vulnerability. And the magnitude this consequence would have on an assets owner.
Risk terminology
What is safeguards?
Also called countermeasure
is anything that would remove or reduce a vulnerability or protect against one or more specific threats.
What is asset identification?
An asset is anything that needs protection, to identify such an asset drawing expertise from people in relevant areas of the organization is the way to go.
What is thread identification?
It’s the creation of an exhaustive list of all possible threats, which could be:
* Viruses
* Misuse of data
* malicious hackers
* criminal activities
* disgruntled employees.
* etc.
What is vulnerability identification?
It’s the process of identifying exploitable flaws or weaknesses in organizations IT-systems or processes.
It’s outcome should be a list of threats and vulnerabilities of how and why they might occur.
What is the difference between qualitative and quantitative risk analysis?
- Quantitative: values from the mathematical domain like the probaility space. It can be performed by assigning monetary values and probabilities to threats and assets.
- Qualitative: values aren’t from the domain of mathematics, instead risk is calculated based on rules that capute the consolidated advice of security experts.
How is a risk calculated?
the risk is calculated based on the monetary value of the asset and the probaility of the likelhood that a threat would occur.
Only applies to quantitative risk analysis.
What are the 5 risk treatment alternatives?
- Risk acceptance
- Risk avoidance
- Risk tranfer
- Reduce consequence
- Reduce likelyhood