Risk Assessment Flashcards
What is Risk Assessment
Process used inside of risk management to identify how much risk exists in a given network or system.
What is Risk
The probability that a threat will be realized
What is a vulnerability
A controllable aspect of a system involving a weakness in the design or implementation in a system
What are threats?
Any condition that could cause harm, loss, damage, or compromise IT systems.
External and out of control:
Hackers, Natural disasters, War
Where does risk live?
Risk exists where threats overlap vulnerability. If there are no threats, but there is vulnerability, there is no risk
If there are threats and vulnerabilities, then there is risk.
What can be done about threats once identified
Risk Management is used to minimize the likelihood of a negative outcome from occurring.
In what ways can risk be handled
Risk Avoidance
Risk Transfer
Risk Mitigation
Risk Acceptance
Explain risk avoidance and transfer
Avoidance is a strategy that requires the stopping of an activity that has risk, or choosing a less risky alternative.
I.E moving a Windows XP machine offline, or upgrading it to Win10
Risk Transfer is transferring the risk to a third party
I.E. Insurance
Explain Risk Mitigation and Risk Accecptance
Risk mitigation - Strategy to seek and minimize the risk to an acceptable level
Risk Acceptance - Accept current level of risk and the costs associated with it, if the risk were to be realized
- Choosing not to extend laptop warranty
What is residual risk?
Risk remaining after trying to avoid transfer, or mitigate risk.
What are the four steps to reduce risk
- Identify Assets
- Identify Vulnerabilities
- Identify Threats
- Identify impact
Describe Qualitative Analysis
It uses intuition, experience, and other methods to assign a relative value to risk.
Based on perceived risk this falls into the red tile D4
Relative categories of risk or comparison to risk = Qualitative
True or False: Experience is critical to Qualitative Analysis
True
Describe quantitative analysis and its components
Uses numerical and monitoring values to calculate risk
Value of Asset
Threat Frequency
Severity of vulnerability
Impact of realized threat (money)
What is Magnitude of impact
Used with both quantitative and qualitative analysis to estimate of the amount of damage that a negative risk may achieve
What is SLE, ARO, and ALE
Single Loss Expectancy - Cost associated with the realization of each individualized threat that occurs
Annualized Rate of Occurrence - The number of times a year that something happens.
Annualized Loss Expectancy - Expected annual cost of threats being realized.
What is the EF in the SLE and ALE equations
EF is the Exposure factor - Amount of an asset that will be lost if a threat is realized.
How is SLE caluclated
SLE = AV (asset Value) X EF