Risk (Lecture 4)

Question 1

Define Security

Answer 1

Security is aimed at preventing loss or disclosure of data while maintaining authorised access

Question 2

Define Risk

Answer 2

The possibility or likelihood that something could happen to damage, destroy or disclose data and other resources without authorisation.

The more likely the occurrence of the threat, the greater the risk

Can be quantified as Risk = Threat x vulnerability

Question 3

Why is understanding risk management important?

Answer 3

Essential to establish an sufficient security stance, governance and legal proof of due care and diligence

Question 4

Who is responsible for risk management in an organisation?

Answer 4

Responsibility of senior management and organisations governing board

Usually define the scope, purpose and parameters for a risk analysis

Day-to-day tasks generally delegated throughout the organisation to team with specialist knowledge or skill

Senior management must review results and authorise all decisions relating to risk

Due Care legal requirement (Data Protection, Transaction Processing)

Question 5

What does the term ‘Risk Appetite’ mean?

Answer 5

Risk appetite refers to how far away from ‘zero risk’ an organisation is willing to be and what amount of risk is acceptable

Question 6

Whats is the primary goal of risk management?

Answer 6

To reduce risk to an acceptable level

Acceptable levels vary between organisations and even departments within

Question 7

What can change acceptable levels of risk?

Answer 7

Value of assets

Budgets

Organisational Objectives and deliverables (Service Level Agreement)

Question 8

As well as computer based risks, what other risks are there?

Answer 8

Natural disaster (fire, flood)

Terrorism/Activism

Accidental Damage

Question 9

What is Risk Analysis?

Answer 9

Process by which risk can be measured and quantified to assist in risk management.

Includes examining an environment for risk

Evaluates each threat for Likelihood of Occurrence and potential impact/consequence

Question 10

What does risk analysis focus on

Answer 10

Cost Vs Benefit
Likelihood of success
Implementation requirements

Question 11

Define a Breach

Answer 11

Occurrence of a security mechanism being bypassed or thwarted by a threat actor or attacker

Question 12

Define Penetration/Intrusion

Answer 12

Refers to a condition in which a threat actor has gained access to an organisations infrastructure or resources by breaching security mechanisms

Question 13

What is asset valuation

Answer 13

A monetary value assigned to an asset indicating its value to the organisation including costs relating to Tangible Costs (maintenance, repair, replacement, staffing)
and Intangible Costs (public confidence, industry support, organisational impact)

Question 14

What is a realised threat?

Answer 14

A threat or event that has taken place

Question 15

What does Exposure mean?

Answer 15

The potential future loss assigned to a threat or vulnerability.

Exposure to a ‘realised threat’ is called Experienced Exposure

Question 16

What does Mitigation mean?

Answer 16

AKA Countermeasures, security controls or safeguards - any measures which reduces vulnerabilities and therefore risk to protect against one or more threats

Can include software patching, changing configuration, employing physical security, training personnel

Question 17

How do you identify threats and vulnerabilities?

Answer 17

By creating an exhaustive list of all organisation assets called and Assets Register which should include physical and digital assets.

Then a list should be compiled of all possible threats for each asset. Should include threat agents as well as threat events

Question 18

Name and explain two types of risk analysis

Answer 18

Quantitative risk analysis - assigns monetary figures to the loss of an asset

Qualitative risk analysis - assigns subjective and intangible values to the loss of an asset

Question 19

How do you formulate a Quantitative Risk Figure for each asset and threat pair?

Answer 19

Assets assigned a value (Asset Value - AV)

Research each asset and produce list of possible threats to each asset

For each threat calculate the Exposure Factor (EF) and Single Loss Expectancy (SLE)

Perform a threat analysis to calculate likelihood of each threat being realised in a single year (Annualised Rate of Occurrence - ARO

Derive overall loss potential per threat by calculating Annualised Loss Expectancy (ALE)

Research countermeasures for each threat and calculate changes to ARO and ALE based on them being applied

Perform Cost/Benefit analysis of each countermeasure

Question 20

List considerations when determining asset value

Answer 20

Purchase cost
Development cost
Administrative cost
Maintenance cost
Market valuation
Liability
Operational cost

Question 21

What is Exposure Factor (EF)?

Answer 21

Shows percentage of loss that an organisation would experience if a specific asset was violated by a realised risk.

It is the expected overall asset value loss because of single realised risk

Expressed as a percentage

Needed to calculate Single Loss Expectancy

Question 22

What is Single Loss Expectancy (SLE)?

Answer 22

It is the cost associated with a single realised risk against a specific asset

Expressed as monetary value

Calculated by:-

SLE = Asset Value (AV) x Exposure Factor (EF)

Question 23

What is Annual Rate of Occurrence? (ARO)

Answer 23

It is expected frequency a threat or risk will occur in a single year AKA Probability Determination

Can be derived from historical records, statistical analysis or guesswork

ARO = Number of known events/ Number of years

or

ARO = Number of users x likelihood of threat per user

Question 24

What is Annualised Loss Expectancy (ALE) and how is it calculated

Answer 24

Possible yearly cost of all instances of a specific realised threat against a specific asset

ALE = SLE x ARO

Question 25

What is Qualitative Risk Analysis?

Answer 25

More scenario based than calculators based

Rank threats on a scale to evaluate potential impact rather than assign possible monetary losses

Should be used alongside Quantitative to evaluate all factors

Can measure repetitional impacts

Involves judgement intuition and experience

Question 26

What are the results of risk analysis?

Answer 26

Complete and detailed valuation all assets

Exhaustive list of all threats and risks, rate of occurrence and extent of loss if realised

List of threat specific mitigations and their effectiveness

Cost/benefit analysis of each mitigation

Question 27

What are the 4 possible responses to risk?

Answer 27

Mitigate - Implement controls to reduce the risk

Transfer - Move the risk to someone else (insurance)

Accept - Accept the risk level and monitor for events

Reject - Ignore the risk and hope for the best

Question 28

What would a new mitigation look to do to be deemed a viable solution in quantitative risk?

Answer 28

Calculate ALE for the asset after mitigation implemented

Look to reduce either Exposure Factor (EF), Annualised Rate of Occurrence (ARO) or both.

This will reduce the Annualised Loss Expectancy (ALE)

Question 29

Mitigation may be considered financially viable under what circumstances?

Answer 29

If the difference between the old and new ALE value is greater than the Annualised Cost of Mitigation (ACM)
(ALE1 – ALE2) – ACM = value of mitigation

Question 30

What is qualitative mitigation?

Answer 30

Imagine mitigation has been put in place, compare new predicted likelihood and impact to original risk matrix and look for reduction in either or both these factors

Question 31

When is qualitative mitigation deemed viable?

Answer 31

If the reduction brings the overall score/risk into an acceptable level

Question 32

What factors should be considered when calculating Annualised Cost of Mitigation?

Answer 32

Cost of purchase, development and licensing

Cost of implementation and customisation

Cost of annual operation, maintenance, administration

Productivity improvements/impairments

Cost of testing/evaluating

Question 33

When might senior management choose to accept a risk?

Answer 33

If the mitigation costs more than the potential loss due to an event. In this case senior management must agree to accept the consequences if risk is realised

Question 34

If risk is accepted, a clearly written statement should provide what?

Answer 34

why mitigation was not implemented

Who is responsible for the decision

Who will be responsible if risk is realised