Risk Flashcards

1
Q

What is Risk?

A

Potential loss or destruction of an asset

Risk can pertain to various contexts including financial, operational, and strategic areas.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the quantitative Risk Formula?

A

Risk = Impact * Likelihood

Quantitative risk assessments apply numerical estimates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the qualitative Risk Formula?

A

Risk = Asset * Vulnerability * Threat

Qualitative assessments focus on categorizing risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How is asset identification done?

A

Endpoint management tools, SNMP network monitoring, Ad hoc scripting

These methods help track and manage organizational assets effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What factors are involved in estimating losses?

A
  • Decreased productivity
  • Replacement cost
  • Expenses incurred handling loss
  • Fines or legal judgments
  • Diminished competitive advantage
  • Reputation
  • Criticality
  • Cost
  • Sensitivity

Understanding these factors is crucial for accurate risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is included in the Sensitivity Factor for Asset Loss

A
  • Reputation
  • Competitive Advantage
  • Legal/Regulatory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the components of vulnerability factors?

A
  • Ease of discovery
  • Ease of exploit
  • Awareness

Vulnerability factors help assess how susceptible an organization is to threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Where do we find vulnerabilities?

A

NVD NIST.gov

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where can we find out about threats?

A

DBIR (Verizon website)

The Data Breach Investigations Report is a reliable source for understanding current cybersecurity threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the CVSS Score?

A

An open framework for communicating the characteristics and severity of software vulnerabilities

CVSS stands for Common Vulnerability Scoring System.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How is the CVSS Score calculated?

A

Each is calculated by the CVSS calculator that generates a base score that ranges from 0 to 10

This scoring helps organizations prioritize their responses to vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What dimensions make up the CVSS calculation?

A
  • Base
  • Threat
  • Environments
  • Supplemental

These dimensions provide a comprehensive assessment of vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are some limitations of CVSS?

A
  • Lack of context for specific environments
  • Difficulty in estimating exploitability
  • Focus on technical aspects
  • Doesn’t reflect real-world consequences
  • Subjectivity and variability
  • Outdated scores
  • Over-simplification
  • No intrinsic value for threat intelligence
  • Inconsistency between vendors and experts

Recognizing these limitations is important for effective risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the OWASP factors for estimating likelihood and impact?

A
  • Threat Agent Factors
  • Vulnerability Factors
  • Technical Impact Factors
  • Business Impact Factors

OWASP provides guidelines for assessing risks in web applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are some Threat Agent Factors

A

Skill Level, motive, opportunity, size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the four types of Risk Response?

A
  • Reduction/Mitigation
  • Retention
  • Avoidance
  • Transfer

Each type of response has its own strategic implications for risk management.

17
Q

What are some Vulnerability Factors

A

Ease of discovery, ease of exploit, awareness, intrusion detection

18
Q

What are technical impact factors

A

Loss of confidentiality, loss of integrity, loss of availability, loss of accountability

19
Q

What are the business impact factors

A

Financial damage, reputation damage, non-compliance, privacy violation

20
Q

Fill in the blank: Risk = _______ * Likelihood.

A

[Impact]

This formula is used in quantitative risk assessments.

21
Q

Fill in the blank: Risk = Asset * _______ * Threat.

A

[Vulnerability]

This formula is used in qualitative risk assessments.

22
Q

Which of the following Privileges Required (PR) metric (as part of the CVSS Score) is the worst (meaning leads to a higher CVSS Score)?
a) None
b) Low
c) High
d) Moderate

23
Q

A company decides that the likelihood of a adverse event happening is so small that they choose not to add any controls or make any plans to prepare for the event. What type of risk response are they choosing to use?
a) Reduction
b) Retention
c) Avoidance
d) Transfer

A

b) Retention