Lecture 2

Question 1

Define risk in the context of cybersecurity.

Answer 1

Risk is the potential for loss or damage when a threat exploits a vulnerability.

Question 2

Risk Formula if a vulnerability is stated

Answer 2

Risk=ThreatVulnerabilityImpact

Question 3

Risk if no vulnerability value is determined

Answer 3

Risk=Probability(Likelihood)*Loss(Impact)

Question 4

Name the risk management strategies:

Answer 4

Acceptance: Acknowledging the risk.
Avoidance: Changing processes to avoid risk.
Transference: Shifting risk via insurance.
Mitigation: Reducing impact or likelihood.

Question 5

Annualized Loss Expectancy (ALE):

Answer 5

ALE=AssetValue(AV)×Probability(P)×Impact(I)

Question 6

What are the two types of risk analysis?

Answer 6

Qualitative: Uses scales to assess seriousness of threats without calculating dollar values.
Quantitative: Calculates dollar values for each risk and its impact.

Question 7

Single Loss Expectancy (SLE):

Answer 7

SLE=AssetValue×ExposureFactor(EF)

Question 8

ALE=SLE×AnnualRateofOccurrence(ARO)

Answer 8

ALE=SLE×AnnualRateofOccurrence(ARO)

Question 9

ROI

Answer 9

ROI= [(ALE Before Control-ALE After Control-Cost of Control)/Cost of Control] * 100

Question 10

Residual risk

Answer 10

ResidualRisk=InherentRisk×(1−ControlEffectiveness)