Risk (Lecture 4) Flashcards

1
Q

Define Security

A

Security is aimed at preventing loss or disclosure of data while maintaining authorised access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define Risk

A

The possibility or likelihood that something could happen to damage, destroy or disclose data and other resources without authorisation.

The more likely the occurrence of the threat, the greater the risk

Can be quantified as Risk = Threat x vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Why is understanding risk management important?

A

Essential to establish an sufficient security stance, governance and legal proof of due care and diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is responsible for risk management in an organisation?

A

Responsibility of senior management and organisations governing board

Usually define the scope, purpose and parameters for a risk analysis

Day-to-day tasks generally delegated throughout the organisation to team with specialist knowledge or skill

Senior management must review results and authorise all decisions relating to risk

Due Care legal requirement (Data Protection, Transaction Processing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does the term ‘Risk Appetite’ mean?

A

Risk appetite refers to how far away from ‘zero risk’ an organisation is willing to be and what amount of risk is acceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Whats is the primary goal of risk management?

A

To reduce risk to an acceptable level

Acceptable levels vary between organisations and even departments within

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can change acceptable levels of risk?

A

Value of assets

Budgets

Organisational Objectives and deliverables (Service Level Agreement)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

As well as computer based risks, what other risks are there?

A

Natural disaster (fire, flood)

Terrorism/Activism

Accidental Damage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is Risk Analysis?

A

Process by which risk can be measured and quantified to assist in risk management.

Includes examining an environment for risk

Evaluates each threat for Likelihood of Occurrence and potential impact/consequence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does risk analysis focus on

A

Cost Vs Benefit
Likelihood of success
Implementation requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define a Breach

A

Occurrence of a security mechanism being bypassed or thwarted by a threat actor or attacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define Penetration/Intrusion

A

Refers to a condition in which a threat actor has gained access to an organisations infrastructure or resources by breaching security mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is asset valuation

A

A monetary value assigned to an asset indicating its value to the organisation including costs relating to Tangible Costs (maintenance, repair, replacement, staffing)
and Intangible Costs (public confidence, industry support, organisational impact)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a realised threat?

A

A threat or event that has taken place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does Exposure mean?

A

The potential future loss assigned to a threat or vulnerability.

Exposure to a ‘realised threat’ is called Experienced Exposure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What does Mitigation mean?

A

AKA Countermeasures, security controls or safeguards - any measures which reduces vulnerabilities and therefore risk to protect against one or more threats

Can include software patching, changing configuration, employing physical security, training personnel

17
Q

How do you identify threats and vulnerabilities?

A

By creating an exhaustive list of all organisation assets called and Assets Register which should include physical and digital assets.

Then a list should be compiled of all possible threats for each asset. Should include threat agents as well as threat events

18
Q

Name and explain two types of risk analysis

A

Quantitative risk analysis - assigns monetary figures to the loss of an asset

Qualitative risk analysis - assigns subjective and intangible values to the loss of an asset

19
Q

How do you formulate a Quantitative Risk Figure for each asset and threat pair?

A

Assets assigned a value (Asset Value - AV)

Research each asset and produce list of possible threats to each asset

For each threat calculate the Exposure Factor (EF) and Single Loss Expectancy (SLE)

Perform a threat analysis to calculate likelihood of each threat being realised in a single year (Annualised Rate of Occurrence - ARO

Derive overall loss potential per threat by calculating Annualised Loss Expectancy (ALE)

Research countermeasures for each threat and calculate changes to ARO and ALE based on them being applied

Perform Cost/Benefit analysis of each countermeasure

20
Q

List considerations when determining asset value

A
Purchase cost
Development cost
Administrative cost
Maintenance cost
Market valuation
Liability
Operational cost
21
Q

What is Exposure Factor (EF)?

A

Shows percentage of loss that an organisation would experience if a specific asset was violated by a realised risk.

It is the expected overall asset value loss because of single realised risk

Expressed as a percentage

Needed to calculate Single Loss Expectancy

22
Q

What is Single Loss Expectancy (SLE)?

A

It is the cost associated with a single realised risk against a specific asset

Expressed as monetary value

Calculated by:-

SLE = Asset Value (AV) x Exposure Factor (EF)

23
Q

What is Annual Rate of Occurrence? (ARO)

A

It is expected frequency a threat or risk will occur in a single year AKA Probability Determination

Can be derived from historical records, statistical analysis or guesswork

ARO = Number of known events/ Number of years

or

ARO = Number of users x likelihood of threat per user

24
Q

What is Annualised Loss Expectancy (ALE) and how is it calculated

A

Possible yearly cost of all instances of a specific realised threat against a specific asset

ALE = SLE x ARO

25
Q

What is Qualitative Risk Analysis?

A

More scenario based than calculators based

Rank threats on a scale to evaluate potential impact rather than assign possible monetary losses

Should be used alongside Quantitative to evaluate all factors

Can measure repetitional impacts

Involves judgement intuition and experience

26
Q

What are the results of risk analysis?

A

Complete and detailed valuation all assets

Exhaustive list of all threats and risks, rate of occurrence and extent of loss if realised

List of threat specific mitigations and their effectiveness

Cost/benefit analysis of each mitigation

27
Q

What are the 4 possible responses to risk?

A

Mitigate - Implement controls to reduce the risk

Transfer - Move the risk to someone else (insurance)

Accept - Accept the risk level and monitor for events

Reject - Ignore the risk and hope for the best

28
Q

What would a new mitigation look to do to be deemed a viable solution in quantitative risk?

A

Calculate ALE for the asset after mitigation implemented

Look to reduce either Exposure Factor (EF), Annualised Rate of Occurrence (ARO) or both.

This will reduce the Annualised Loss Expectancy (ALE)

29
Q

Mitigation may be considered financially viable under what circumstances?

A

If the difference between the old and new ALE value is greater than the Annualised Cost of Mitigation (ACM)
(ALE1 – ALE2) – ACM = value of mitigation

30
Q

What is qualitative mitigation?

A

Imagine mitigation has been put in place, compare new predicted likelihood and impact to original risk matrix and look for reduction in either or both these factors

31
Q

When is qualitative mitigation deemed viable?

A

If the reduction brings the overall score/risk into an acceptable level

32
Q

What factors should be considered when calculating Annualised Cost of Mitigation?

A

Cost of purchase, development and licensing

Cost of implementation and customisation

Cost of annual operation, maintenance, administration

Productivity improvements/impairments

Cost of testing/evaluating

33
Q

When might senior management choose to accept a risk?

A

If the mitigation costs more than the potential loss due to an event. In this case senior management must agree to accept the consequences if risk is realised

34
Q

If risk is accepted, a clearly written statement should provide what?

A

why mitigation was not implemented

Who is responsible for the decision

Who will be responsible if risk is realised