Risk Assessment Flashcards
What does risk assessment help us understand?
- What is at risk? (Identifying assets)
- How much is at risk? (Identifying values)
- Where does the risk come from? (Identifying threats and vulnerabilities)
- How can the risk be reduced? (Identifying countermeasures)
- Is it cost effective? (Risk can never be completely eliminated)
What does Single Loss Expectancy (SLE) measure?
the expected impact (in monetary terms) of a certain threat occurring
SLE = Asset Value (AV) × Exposure Factor (EF)
What does the Annualized Rate of Occurrence (ARO) represent?
the expected frequency of a threat occurring per year
How does one calculate the Annualized Loss Expectancy (ALE)?
ALE = SLE × ARO
What 4 areas are typically involved in the risk analysis of information systems?
- Value of the information/system assets
- Possible threats to information/systems
- Vulnerabilities of information/systems
- Cost of countermeasures
On which three variabled does Risk depend?
Risk is a function of threats, vulnerabilities, and assets
What two basic different kinds of assets exist?
Tangible assets (hardware, buildings, etc.) Intangible assets (software, information)
What is the Delphi Method?
way to put a value on information assets by asking knowledgeable staff in a systematic way
How does the Delphi Method work? Name the four basic steps.
- Experts (i.e. knowledgeable staff) give answers to questionnaires for several rounds
- After each round a facilitator summarizes answers (and reasoning) given by experts
- This summary is given to the experts (usually done anonymously)
- New round is started in which experts may revise their answers
What are the two basic types of threads?
Accidental
Intentional
What are two basic approaches of information asset valuation?
- Cost approach: try to put a fair market value on the information assets
- Income approach: try to determine income stream generated by products/services associated with information assets
What is threat analysis?
During threat analysis, analyst must decide which threats to consider
What is vulnerability analysis?
vulnerability analysis is about identifying vulnerabilities that can be exploited
Vulnerabilities allow threats to occur (more often) or have a greater impact
What is the aim of risk modelling?
giving well-informed answers to the following questions:
- What could happen? (threats/vulnerabilities)
- How bad would it be? (impact)
- How often might it occur? (frequency/probability)
- How certain are answers to the question above? (uncertainty)
What is quantitative risk assessment?
Trying to put a number on everything is called quantitative risk assessment
Computing the ALE is a classic form of quantitative risk assessment
