Module 5 - Risk Assessment Flashcards
Threat
A threat is the potential that a vulnerability will be identified and exploited
Threat Vector
A threat vector is the path that an attacker utilises to impact the target.
Threat source types
- Adversarial: Threats from individuals, groups, organizations or nations.
- Accidental: Actions that occur without a malicious intent.
- Structural: Equipment and software failures.
- Environmental: External disasters that can be either natural or human-caused, such as fires and floods.
What are the 4 goals of a risk analysis?
- Identify assets and their value.
- Identify vulnerabilities and threats.
- Quantify the probability and impact of the identified threats.
- Balance the impact of the threat against the cost of the countermeasure.
Quantitative Risk Analysis
A quantitative risk analysis assigns numbers to the risk analysis process. In this example, the asset value is the replacement cost of the file server (the asset). The value of an asset can also be measured by the income gained through the use of the asset.
EF
The exposure factor (EF) is a subjective value expressed as a percentage of the file server lost due to a particular threat. If total loss occurs, the EF equals 1.0 (100%).
ARO
The annualized rate of occurrence (ARO) is the probability that a loss will occur during the year. An ARO can be greater than 100% if a loss can occur more than once a year.
ALE
The calculation of the annual loss expectancy (ALE) gives management some guidance on what an organization should spend to protect the file server.
Qualitative Risk Analysis
Qualitative risk analysis uses opinions and scenarios plotting the likelihood of a threat against its impact. For example, a server failure may be likely, but its impact may only be marginal.
Risk Mitigation
Mitigation involves reducing the likelihood or severity of a loss from threats. Many technical controls mitigate risk, including authentication systems, file permissions and firewalls.