Risk Assessment Flashcards
What does risk assessment help us understand?
- What is at risk? (Identifying assets)
- How much is at risk? (Identifying values)
- Where does the risk come from? (Identifying threats and vulnerabilities)
- How can the risk be reduced? (Identifying countermeasures)
- Is it cost effective? (Risk can never be completely eliminated)
What does Single Loss Expectancy (SLE) measure?
the expected impact (in monetary terms) of a certain threat occurring
SLE = Asset Value (AV) × Exposure Factor (EF)
What does the Annualized Rate of Occurrence (ARO) represent?
the expected frequency of a threat occurring per year
How does one calculate the Annualized Loss Expectancy (ALE)?
ALE = SLE × ARO
What 4 areas are typically involved in the risk analysis of information systems?
- Value of the information/system assets
- Possible threats to information/systems
- Vulnerabilities of information/systems
- Cost of countermeasures
On which three variabled does Risk depend?
Risk is a function of threats, vulnerabilities, and assets
What two basic different kinds of assets exist?
Tangible assets (hardware, buildings, etc.) Intangible assets (software, information)
What is the Delphi Method?
way to put a value on information assets by asking knowledgeable staff in a systematic way
How does the Delphi Method work? Name the four basic steps.
- Experts (i.e. knowledgeable staff) give answers to questionnaires for several rounds
- After each round a facilitator summarizes answers (and reasoning) given by experts
- This summary is given to the experts (usually done anonymously)
- New round is started in which experts may revise their answers
What are the two basic types of threads?
Accidental
Intentional
What are two basic approaches of information asset valuation?
- Cost approach: try to put a fair market value on the information assets
- Income approach: try to determine income stream generated by products/services associated with information assets
What is threat analysis?
During threat analysis, analyst must decide which threats to consider
What is vulnerability analysis?
vulnerability analysis is about identifying vulnerabilities that can be exploited
Vulnerabilities allow threats to occur (more often) or have a greater impact
What is the aim of risk modelling?
giving well-informed answers to the following questions:
- What could happen? (threats/vulnerabilities)
- How bad would it be? (impact)
- How often might it occur? (frequency/probability)
- How certain are answers to the question above? (uncertainty)
What is quantitative risk assessment?
Trying to put a number on everything is called quantitative risk assessment
Computing the ALE is a classic form of quantitative risk assessment
What are the prerequisites of quantitative risk assessment?
- Reliable data has to be available
- Appropriate tools are available
- The person doing the assessment knows what they are doing (and is trustworthy)
If this is not the case, quantitative assessment can lead to a false sense of security!
What is qualitative risk assessment?
- An alternative to quantitative assessment
- Rather than using concrete numbers, ranking is used, e.g. describing a threat level as high, medium, or low
- Asset values may also be described in a similar way, e.g. high, medium, or low importance
What is CRAMM?
a risk assessment tool
If you’re selling to the UK government, chances are high that you have to use this method/tool
CRAMM uses a risk matrix
What is the Flaw Hypothesis Methodology?
A framework for conducting penetration studies
What are penetration studies?
the test of an organisation’s countermeasures to risk
What are the 5 steps involved in the Flaw Hypothesis Methodology?
1 Information gathering: testers try to become as familiar with system as possible (in their role as external or internal attackers)
2 Flaw hypothesis: drawing on knowledge from step 1 and known vulnerabilities, testers hypothesize flaws
3 Flaw testing: tester try to exploit possible flaws identified in step 2
If flaw does not exist, go back to step 2 If flaw exists, to to next step
4 Flaw generalization: testers try to find other similar flaws, iterate test again (starting with step 2)
5 Flaw elimination: testers suggest ways of eliminating flaw
