Personnel Security and Risk Management Concepts Flashcards
What does the Exposure Factor (EF) represent?
The percentage of loss that an organization would expect to experience if a specific asset were violated by a realized risk. Expressed in a %
What does the Single Loss Expectancy (SLE) represent?
The amount of loss an organization would experience if an asset were harmed by a specific threat occurring. It is a SINGLE event of loss.
How do you calculate the Single Loss Expectancy (SLE)?
SLE= AV (Asset Value) * EF (Exposure Factor) SLE= AV x EF
What is the ARO (Annualized Rate of Occurrence)?
The expected frequency with which a specific threat or risk will occur in ONE year.
How do you calculate the ARO?
It can be derived by historical records . Multiply the likelihood of an occurrence by the number of users who could initiate the threat.
What is the ALE (Annualized Loss Expectancy)?
The possible yearly costs of all instances of a specific realized threat against a specific asset.
How do you calculate the ALE (Annualized Loss Expectancy)?
SLE (Single Loss Expectancy) * ARO = SLE
What does a Safeguard do?
Reduces the ARO (Annual Rate of Occurrence) but does not affect the Exposure Factor (EF). Reduces the likelihood of the event occuring.
What type of calculations should you do when looking to apply a safeguard?
You should do a Cost/Benefit analysis of applying the safeguard. If safeguard costs more than the asset you are protecting, why do it?
How do you calculate Safeguard benefit?
(ALE1 - ALE2) -ACS = Safeguard Value
(ALE Before Safeguard - ALE After Implementing Safeguard) - Annual Cost of Safeguard ACS = Value of Safeguard to the company
How do you calculate the Annual Cost of a Safeguard (ACS)?
Cost of Safeguard/ # Years
How do you calculate Residual Risk?
Total Risk - Controls Gap = Residual Risk
It is the RISK that remains AFTER countermeausrres are in place
Define a Control Gap?
The difference between the Total Risk and the Residual Risk
Name the 7 different types of CONTROLS?
- Deterrent
- Peventative
- Detective
- Compensating
- Corrective
- Recovery
- Directive
What is a Deterrent control used to prevent?
- Discourage viloation of security policies.