Risk Analysis Flashcards
You are responsible for ensuring that all company IT-related equipment and data are inventoried and given a value. Which term best describes this activity?
Asset identification
Risk assessment
Risk mitigation
Asset identification
Asset identification is required before identifying where threats exist. Proper risk management involves identifying assets (including data) and associating a value to them. This information can then be used to justify expenditures to protect these assets
You are identifying security threats to determine the likelihood of virus infection. Identify potential sources of infection. (Choose two.)
USB flash drives
USB keyboard
Smartcard
Downloaded documentation from a business partner web site
USB flash drives
Downloaded documentation from a business partner web site
USB flash drives could have files downloaded from the Internet or copied from less secure machines that could infect your network. Business partner documentation downloaded from the Internet could potentially be infected. With proper management approval, conducting a thorough vulnerability assessment of the existing network and its devices, or a more aggressive penetration test, can reveal these potential security holes
During a risk analysis meeting, you are asked to specify internal threats being considered. Which item is not considered an internal threat?
Embezzlement
Attackers breaking in through the firewall
Employees using corporate assets for personal gain
Attackers breaking in through the firewall
Attackers breaking through a firewall would be considered an external threat
You are an IT security consultant. A client conveys her concern to you regarding malicious Internet users gaining access to corporate resources. What type of assessment would you perform to determine this likelihood?
Threat assessment
Risk analysis
Asset identification
Threat assessment
Determining how an entity may gain access to corporate resources would require a threat assessment. Environmental threat assessments consider natural factors such as floods and earthquakes as well as facility environmental factors such as HVAC and physical security. Threat assessment must also consider personmade threats such as war or terrorism. For a completely objective view of threats, assessment should be conducted by an external entity
You are an IT consultant performing a risk analysis for a seafood company. The client is concerned with specific cooking and packaging techniques the company uses being disclosed to competitors. What type of security concern is this?
Integrity
Confidentiality
Availability
Confidentiality
Confidentiality means keeping data hidden from those who should not see it, such as competitors
After identifying internal and external threats, you must determine how these potential risks will affect business operations. Which of the following terms best describes this?
Risk analysis
Fault tolerance
Impact analysis
Impact analysis
Determining the effect that materialized risks have on the operation of a business is called impact analysis. It is often used to determine whether expenditures against these risks are justified
When determining how best to mitigate risk, which items should you consider? (Choose two.)
Insurance coverage
Number of server hard disks
How fast CPUs in new computers will be
Network bandwidth
Insurance coverage
Number of server hard disks
Assessing risk includes determining what is and is not covered by various types of insurance coverage and whether the cost of those insurance premiums is justified, such as cybersecurity insurance related to malicious network attacks or intellectual property data theft. The number of server hard disks is definitely risk related. The likelihood of hard disk data loss is minimized when multiple hard disks are configured properly, such as RAID 1 (disk mirroring)
You are listing preventative measures for potential risks. Which of the following would you document? (Choose three.)
Larger flat-screen monitors
Data backup
Employee training
Comparing reliability of network load balancing appliances
Data backup
Employee training
Comparing reliability of network load balancing appliances
Backing up data minimizes the risk of data loss. Employee training reduces the likelihood of errors or disclosure of confidential information. Choosing the most reliable network load balancing appliance can reduce the risk of network traffic congestion
An insurance company charges an additional $200 monthly premium for natural disaster coverage for your business site. What figure must you compare this against to determine whether to accept this additional coverage?
ALE
ROI
Total cost of ownership
ALE
The annual loss expectancy (ALE) value is used with quantitative risk analysis approaches to prioritize and justify expenditures that help protect against potential risks. For example, an ALE value of $1000 may justify a $200 annual expense to protect against that risk
Which of the following is true regarding qualitative risk analysis?
Only numerical data is considered.
ALE must be calculated.
Threats must be identified.
Threats must be identified.
Qualitative risk analysis categorizes risks (threats) with general (not hard numerical) terms and numerical ranges—for example, analyzing risks using ratings between 1 (low risk) to 10 (high risk). For this to happen, threats must first be identified
Which values must be calculated to derive annual loss expectancy? (Choose two.)
Single loss expectancy
Annual rate of occurrence
Monthly loss expectancy
Quarterly loss expectancy
Single loss expectancy
Annual rate of occurrence
Annual loss expectancy (ALE) is derived by multiplying the annual rate of occurrence (ARO) by the single loss expectancy (SLE)
You are the server expert for a cloud computing firm. Management would like to set aside funds to respond to server downtime risks. Using historical data, you determine that the probability of server downtime is 17 percent. Past data suggests the server would be down for an average of one hour and that $3000 of revenue can be earned in one hour. You must calculate the ALE. Choose the correct ALE.
$300
$510
$3000
$510
Annual loss expectancy is calculated by multiplying the annual rate of occurrence (ARO = 0.17) by the single loss expectancy (SLE = 3000). So, ALE = ARO × SLE, and 0.17 × $3000 = $510
Your boss asks you to calculate how much money the company loses when critical servers required by employees are down for one hour. You have determined that the probability of this happening is 70 percent. The company has 25 employees, each earning $18.50 per hour. Choose the correct value.
$12.95
$18.50
$323.75
$323.75
This question is asking you to calculate the ALE. Multiply the probability (ARO) by the cost associated with a single failure (SLE). ALE = ARO × SLE, and 0.7 × (25 × $18.5) = $323.75
Which term best describes monies spent to minimize the impact that threats and unfavorable conditions have on a business?
Risk management
Security audit
Budgetary constraints
Risk management
Risk assessment means determining the impact that threats and less than optimal conditions can have on a business or agency. Risk management involves setting aside the funds to account for these eventualities. Determining the amount of money to set aside may involve many detailed calculations
Which risk analysis approach makes use of ALE?
Best possible outcome
Quantitative
ROI
Quantitative
The ALE is a specific figure derived from the probability of a loss and the cost of one occurrence of this loss. Because specific dollar values (quantities) are used to prioritize risks, this falls into the category of quantitative risk analysis
You are presenting data at a risk analysis meeting. During your presentation you display a list of ALE values ranked by dollar amount. Bob, a meeting participant, wants to know how reliable the numeracy used to calculate the ALE is. What can you tell Bob?
The numbers are 50 percent reliable.
ALEs are calculated using probability values that vary.
ALEs are calculated using percentages and are accurate.
ALEs are calculated using probability values that vary.
ALE values use the probability of a loss in conjunction with the cost of a single incident. Probability values are rarely accurate, but because the future cannot be accurately predicted, they are acceptable. Probability values can be arrived at by referring to past historical data
Which of the following should be performed when conducting a qualitative risk assessment? (Choose two.)
Asset valuation
ARO
SLE
Ranking of potential threats
Asset valuation
Ranking of potential threats
Qualitative risk analysis assesses the likelihood of risks that will impede normal business operations and prioritizes; it ranks them relative to one another. Assets that must be protected from identified risks must have an assigned value to determine whether the cost of risk mitigation is justified. This is often done in a risk register
You are the IT security analyst for a gourmet food company that plans to open a plant in Oranjestad, Aruba, next year. You are meeting with a planning committee in the next week and must come up with questions to ask the committee about the new location so you can prepare a risk analysis report. Which of the following would be the most relevant questions to ask? (Choose two.)
How hot does it get in the summer?
How reliable is the local power?
What kind of physical premise security is in place?
How close is the nearest highway?
How reliable is the local power?
What kind of physical premise security is in place?
A reliable power source is critical for IT systems. Unreliable power would mean a different plant location or the use of an uninterruptible power supply (UPS) and power generators. Physical security should always be considered during risk analysis
Your corporate web site is being hosted by a cloud service provider. How does this apply to the concept of risk?
Risk avoidance
Risk transfer
Risk analysis
Risk transfer
Risk transfer shifts some or all of the burden of risk to a third party such as the cloud service provider, which in this case is responsible for the underlying infrastructure to support the web site. The cloud customer is responsible for the web site content. The risk transfer combination of cybersecurity insurance when using cloud computing is called multiparty risk
Which of the following regarding risk management is true?
Funds invested in risk management could have earned much more profit if spent elsewhere.
ALEs are only estimates and are subject to being inaccurate.
IT security risks are all handled by the corporate firewall.
ALEs are only estimates and are subject to being inaccurate.
ALE figures are considered inaccurate because part of their calculation is based on probabilities
Your competitors are offering a new product that is predicted to sell well. After much careful study, your company has decided against launching a competing product because of the uncertainty of the market and the enormous investment required. Which term best describes your company’s decision?
Risk analysis
Risk transfer
Risk avoidance
Risk avoidance
Deciding to invest heavily in a new product for an uncertain market is a gamble. Deciding against it would be classified as risk avoidance
How can management determine which risks should be given the most attention?
Threat vector
Rank risks by likelihood
Rank risks by probable date of occurrence
Rank risks by likelihood
Whether qualitative or quantitative risk analysis is done, once data has been properly considered, risks should be ranked by likelihood
Recently your data center was housed in Albuquerque, New Mexico. Because of corporate downsizing, the data center equipment was moved to an existing office in Santa Fe. The server room in Santa Fe was not designed to accommodate all the new servers arriving from Albuquerque, and the server room temperature is very warm. Because this is a temporary solution until a new data center facility is built, management has decided not to pay for an updated air conditioning system. Which term best describes this scenario?
Risk transfer
Risk avoidance
Risk acceptance
Risk acceptance
Accepting the potential consequences of a threat is referred to as risk acceptance and is determined by the organization’s appetite for risk. The amount of money to minimize the risk is not warranted, as was the case of a temporary data center in Santa Fe
You are a member of an IT project team. The team is performing an IT risk analysis and has identified assets and their values as well as threats and threat mitigation solutions. What must be done next?
Perform a cost–benefit analysis of proposed risk solutions.
Calculate the ALE values.
Decide which vulnerabilities exist.
Calculate the ALE values.
ALE values must be calculated now that threats have been identified and assets have been valued
To reduce the likelihood of internal fraud, an organization implements policies to ensure that more than one person is responsible for a financial transaction from beginning to end. Which of the following best describes this scenario?
Probability
Mitigation solution
Impact analysis
Mitigation solution
The implementation of policies for the internal control of transactions encompasses mitigation solutions. The threat is identified, and a solution is put into place
What is the difference between risk assessment and risk management?
They are the same thing.
Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.
Risk management identifies and prioritizes risks; risk assessment is the governing of risks to minimize their impact.
Risk assessment identifies and prioritizes risks; risk management is the governing of risks to minimize their impact.
Risk assessment requires identification and prioritization of risks using either a relative ranking scale or objective numeric data. Managing those risks involves minimizing their impact on the business
Identify the two drawbacks to quantitative risk analysis compared to qualitative risk analysis. (Choose two.)
Quantitative risk analysis entails complex calculations.
Risks are not prioritized by monetary value.
Quantitative analysis is more time-consuming than qualitative analysis.
It is difficult to determine how much money to allocate to reduce a risk.
Quantitative risk analysis entails complex calculations.
Quantitative analysis is more time-consuming than qualitative analysis.
Quantitative risk analysis involves complex, time-consuming calculations. Results are expressed in specific percentages or monetary values, despite the fact that probability figures are used to arrive at these results
While performing a software licensing compliance scan you discover internal legacy network hosts as well as IoT pump and valve sensor devices running on the network. The hosts run mission-critical software that receives data from the IoT devices. The hosts will be updated with new hardware and software. The IoT devices will not be replaced but will continue to be used. What should you do to best secure this environment? (Choose two.)
Change IoT device default settings.
Deploy a proxy server between users and the legacy hosts.
Place IoT devices on a restricted network.
Change the default port numbers.
Change IoT device default settings.
Place IoT devices on a restricted network.
Hardening Internet of things (IoT) devices is achieved by applying updates, changing default settings, and placing the devices on a restricted network so that a compromised IoT devices will not be on the same network as other assets
In preparation for the next IT security meeting for your company, you would like to provide a visual representation of various risks and their likelihood. What should you prepare?
Risk register
Risk heat map
Risk assessment
Risk heat map
A risk heat map facilitates with visually communicating risks and occurrence likelihoods, where a high-risk probability of occurrence would be colored red, remote likelihoods would be green, and medium-level risk possibilities would be yellow or orange
Which activity is the most closely related to organizational risk transfer?
Requiring new employees to sign an Internet acceptable use policy
Acquiring cybersecurity insurance
Placing a firewall between a screened subnet and an internal network
Acquiring cybersecurity insurance
With cybersecurity insurance, a portion of the burden of risk related to the occurrence of malicious attacks or sensitive data theft falls upon the insurance company; this is a prime example of risk transfer
