Risk Flashcards
What is Risk?
Potential loss or destruction of an asset
Risk can pertain to various contexts including financial, operational, and strategic areas.
What is the quantitative Risk Formula?
Risk = Impact * Likelihood
Quantitative risk assessments apply numerical estimates
What is the qualitative Risk Formula?
Risk = Asset * Vulnerability * Threat
Qualitative assessments focus on categorizing risks.
How is asset identification done?
Endpoint management tools, SNMP network monitoring, Ad hoc scripting
These methods help track and manage organizational assets effectively.
What factors are involved in estimating losses?
- Decreased productivity
- Replacement cost
- Expenses incurred handling loss
- Fines or legal judgments
- Diminished competitive advantage
- Reputation
- Criticality
- Cost
- Sensitivity
Understanding these factors is crucial for accurate risk assessment.
What is included in the Sensitivity Factor for Asset Loss
- Reputation
- Competitive Advantage
- Legal/Regulatory
What are the components of vulnerability factors?
- Ease of discovery
- Ease of exploit
- Awareness
Vulnerability factors help assess how susceptible an organization is to threats.
Where do we find vulnerabilities?
NVD NIST.gov
Where can we find out about threats?
DBIR (Verizon website)
The Data Breach Investigations Report is a reliable source for understanding current cybersecurity threats.
What is the CVSS Score?
An open framework for communicating the characteristics and severity of software vulnerabilities
CVSS stands for Common Vulnerability Scoring System.
How is the CVSS Score calculated?
Each is calculated by the CVSS calculator that generates a base score that ranges from 0 to 10
This scoring helps organizations prioritize their responses to vulnerabilities.
What dimensions make up the CVSS calculation?
- Base
- Threat
- Environments
- Supplemental
These dimensions provide a comprehensive assessment of vulnerabilities.
What are some limitations of CVSS?
- Lack of context for specific environments
- Difficulty in estimating exploitability
- Focus on technical aspects
- Doesn’t reflect real-world consequences
- Subjectivity and variability
- Outdated scores
- Over-simplification
- No intrinsic value for threat intelligence
- Inconsistency between vendors and experts
Recognizing these limitations is important for effective risk management.
What are the OWASP factors for estimating likelihood and impact?
- Threat Agent Factors
- Vulnerability Factors
- Technical Impact Factors
- Business Impact Factors
OWASP provides guidelines for assessing risks in web applications.
What are some Threat Agent Factors
Skill Level, motive, opportunity, size
What are the four types of Risk Response?
- Reduction/Mitigation
- Retention
- Avoidance
- Transfer
Each type of response has its own strategic implications for risk management.
What are some Vulnerability Factors
Ease of discovery, ease of exploit, awareness, intrusion detection
What are technical impact factors
Loss of confidentiality, loss of integrity, loss of availability, loss of accountability
What are the business impact factors
Financial damage, reputation damage, non-compliance, privacy violation
Fill in the blank: Risk = _______ * Likelihood.
[Impact]
This formula is used in quantitative risk assessments.
Fill in the blank: Risk = Asset * _______ * Threat.
[Vulnerability]
This formula is used in qualitative risk assessments.
Which of the following Privileges Required (PR) metric (as part of the CVSS Score) is the worst (meaning leads to a higher CVSS Score)?
a) None
b) Low
c) High
d) Moderate
a) None
A company decides that the likelihood of a adverse event happening is so small that they choose not to add any controls or make any plans to prepare for the event. What type of risk response are they choosing to use?
a) Reduction
b) Retention
c) Avoidance
d) Transfer
b) Retention
