Risk Management Flashcards

1
Q

Which process provides a systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating security resources?

A

The risk management process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The five steps of the Risk Management Process:

A
  1. Asset assessment (nature and value of an asset and the degree of impact if the asset is damaged or lost)
  2. Threat assessment (type and degree of threat)
  3. Vulnerability assessment (identification and extent of vulnerabilities)
  4. Risk assessment (calculation of risks)
  5. Countermeasure determination (security countermeasure options that can reduce or
    mitigate risk - cost effectiveness)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Five broad categories for ASSETS

A
� Activities & Operations
� Equipment
� Facilities
� Information
� People
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat

A

A threat is any indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat may also be defined as the intention and capability of an adversary to undertake detrimental actions against an asset owner’s interests. A threat may include any indication, circumstance, or event with the potential to cause the loss of or damage to an asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Adversary

A

An adversary is any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to assets. Common examples of adversaries are terrorists, criminals, and foreign intelligence services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Types of Adversaries (6 examples)

A
Criminal
Economic Espionage
Foreign Industrial Espionage
Foreign Intelligence Service
Insider
Terrorist
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Criminal

A

A criminal is an adversary who violates the law causing the loss of or damage to assets. Examples include: violent acts against people, theft, hacking, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Economic Espionage

A

Economic espionage is the theft or misappropriation of U.S. proprietary information or trade secrets, especially to foreign governments and their agents. Both traditionally friendly nations and recognized adversaries conduct industrial espionage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Foreign Industrial Espionage

A

Foreign industrial espionage is industrial espionage conducted by a foreign government or a foreign company with direct assistance of a foreign government against a private U.S. company for the purpose of obtaining commercial secrets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Foreign Intelligence Service

A

Foreign intelligence services are organizations that are part of a foreign government and engage in intelligence activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Insider

A

An insider is an adversary who has special access or privileges, e.g., employees, contractors, customers, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Terrorist

A

A terrorist is an adversary who uses violence or the threat of violence to inculcate fear, with the intent to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of Adversary collection capabilities

A

HUMINT (Human Intelligence) is intelligence derived from people through interviews, elicitation, or reports originating from people.
IMINT (Imagery Intelligence) involves using various sources, such as satellites, photos, infrared, imaging radar, and electro-optical, for collecting image data.
MASINT (Measurement and Signatures Intelligence) is intelligence (excluding signals intelligence and traditional imagery intelligence) that, when collected, processed, and analyzed, results in intelligence that locates, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources. It includes the advanced data processing and exploitation of data from overhead and airborne imagery collection systems. MASINT data can be acquired from a variety of satellite, airborne, or ship borne platforms; remotely piloted vehicles; or from mobile or fixed ground-based collection sites.
OSINT (Open Source Intelligence) includes resources such as newspapers, internet, magazines, international conventions, FOIA requests, seminars, and exhibits (e.g., CNN.com, The New York Times, Aviation Week, and Space & Technology).
SIGINT (Signals Intelligence) is comprised of communications and the electronic and telemetry
collection of information in the non-visible portion of the electromagnetic spectrum.
“Covert” refers to an operation planned and executed to conceal the identity of, or permit plausible denial by, the sponsor. A covert operation is similar to law enforcement’s undercover operation.
“Overt” refers to an operation conducted openly to acquire information via the public domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Critical Threat

A

A critical rating indicates that a definite threat exists against the assets. This rating is based on
knowledge that the adversary has both the capability and intent to launch an attack, and that the
subject or similar assets are targeted on a frequent or recurring basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

High Threat

A

A high rating indicates that a credible threat against the assets exists. This rating is based on
knowledge of the adversary’s capability and intent to attack the assets as well as on related
incidents having taken place at similar facilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Medium Threat

A

A medium rating indicates there is a potential threat to the assets. This rating is based on the
adversary’s desire to compromise the assets and the possibility that the adversary could obtain
the capability through a third party who has demonstrated the capability in related incidents.

17
Q

Low Threat

A

A low rating indicates little or no credible evidence of capability or intent with no history of
actual or planned threats against the assets

18
Q

Vulnerability Areas

A
  1. Equipment
  2. Facility
  3. Human
  4. Information
  5. Operational
19
Q

The best method to analyze asset vulnerabilities with existing countermeasures is through _________________

A

Regressive analysis. Regressive analysis requires analyzing the asset in an unprotected state first and then analyzing the asset considering the current countermeasures.

20
Q

5-steps to complete regressive analysis

A
  1. Assess the asset’s vulnerabilities as if they were in a pure, unprotected state.
  2. Reevaluate the asset’s vulnerabilities taking into consideration the effectiveness of the
    existing countermeasures.
  3. Identify the asset’s vulnerability differences between the unprotected and protected.
  4. Identify the ineffective countermeasures.
    assessments.
  5. Identify and characterize the specific vulnerabilities that still exist, given the current
    countermeasures.
21
Q

Name Procedural Countermeasures

A
  • Awareness Programs
  • Disclosure Statements
  • Legal Prosecution
  • Paper Shredder
  • Personnel Transfer
  • Polygraph, Cover Procedures
  • Response Planning
  • Security Investigations
  • Security Policies & Procedures
  • Training, OPSEC Procedures
22
Q

Name Equipment Countermeasures

A
  • Alarms/Sensors
  • Badges
  • Weapons
  • Doors, Vaults
  • Fences, Safe Havens
  • Hardware/Software
  • Lighting, CCTV
  • Locking Mechanism
  • TEMPEST Devices
  • Window Bars
23
Q

Name Manpower Countermeasures

A
  • Contractor Guard Force
  • Local Guards
  • Military Guards
  • Special Police Officers
24
Q

Critical Vulnerability

A

A critical rating indicates that there are no effective countermeasures currently in place and all
known adversaries would be capable of exploiting the asset.

25
Q

High Vulnerability

A

A high rating indicates that, although there are some countermeasures in place, there are still
multiple weaknesses through which many adversaries would be capable of exploiting the asset.

26
Q

Medium Vulnerability

A

A medium rating indicates that there are effective countermeasures in place; however, one
weakness does exist which some known adversaries would be capable of exploiting.

27
Q

Low Vulnerability

A

A low rating indicates that multiple layers of effective countermeasures exist and few or no
known adversaries would be capable of exploiting the asset.

28
Q

Risk =

A

Impact x (Threat x Vulnerability) or (R = I [T x V])

29
Q

Critical Risk

A

A critical rating indicates that compromise to the assets targeted would have grave consequences
leading to loss of life, serious injury, or mission failure.

30
Q

High Risk

A

A high rating indicates that a compromise to assets would have serious consequences resulting in
loss of classified or highly sensitive data that could impair operations affecting national interests
for a limited period of time.

31
Q

Medium Risk

A

A medium rating indicates that a compromise to the assets would have moderate consequences
resulting in loss of confidential, sensitive data or costly equipment/property that would impair
operations affecting national interests for a limited period of time.

32
Q

Low Risk

A

A low rating indicates that there would be little or no impact on human life or the continuation of
operations affecting national security or national interests.

33
Q

Acceptable Risk

A

An asset’s acceptable risk cannot be determined by a formula. Acceptable risk varies with time,
circumstances, and management’s attitude toward risk in the organizational environment. The
asset sponsors or owners have the responsibility of deciding what constitutes an acceptable level
of risk for their assets.

34
Q

The costs of implementing countermeasures must be considered relative to:

A

Dollars: When determining the dollar cost of a countermeasure, consider the purchase price and
the life-cycle maintenance costs (e.g., installation, preventive maintenance, repair/warranty,
replacement, and training).
Inconvenience: When determining the cost of a countermeasure in terms of inconvenience,
consider whether the inconvenience caused is offset by the measure of risk reduction gained. If a
countermeasure is inconvenient, people will find a way to circumvent it.
Personnel: When determining the cost of a countermeasure in terms of the personnel required
for its implementation, consider the number of personnel needed to manage the countermeasure
as well as the skills, knowledge, and abilities of the personnel involved. Additionally, personnel
training needs/costs must be considered.
Time: When determining the cost of a countermeasure in terms of time, include the time to
implement or oversee the countermeasure and the time to prepare for its implementation, as well
as any time required for follow-up and evaluation.
Other: When determining the cost of a countermeasure in terms of any other influences,
consider the adverse publicity, political repercussions, reduced operational efficiency, and
unfavorable working conditions resulting from its implementation.