Risk Management

Question 1

Which process provides a systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating security resources?

Answer 1

The risk management process

Question 2

The five steps of the Risk Management Process:

Answer 2

1. Asset assessment (nature and value of an asset and the degree of impact if the asset is damaged or lost)
2. Threat assessment (type and degree of threat)
3. Vulnerability assessment (identification and extent of vulnerabilities)
4. Risk assessment (calculation of risks)
5. Countermeasure determination (security countermeasure options that can reduce or
   mitigate risk - cost effectiveness)

Question 3

Five broad categories for ASSETS

Answer 3

� Activities & Operations
� Equipment
� Facilities
� Information
� People

Question 4

Threat

Answer 4

A threat is any indication, circumstance, or event with the potential to cause the loss of or damage to an asset. Threat may also be defined as the intention and capability of an adversary to undertake detrimental actions against an asset owner’s interests. A threat may include any indication, circumstance, or event with the potential to cause the loss of or damage to an asset.

Question 5

Adversary

Answer 5

An adversary is any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to assets. Common examples of adversaries are terrorists, criminals, and foreign intelligence services.

Question 6

Types of Adversaries (6 examples)

Answer 6

Criminal
Economic Espionage
Foreign Industrial Espionage
Foreign Intelligence Service
Insider
Terrorist

Question 7

Criminal

Answer 7

A criminal is an adversary who violates the law causing the loss of or damage to assets. Examples include: violent acts against people, theft, hacking, etc.

Question 8

Economic Espionage

Answer 8

Economic espionage is the theft or misappropriation of U.S. proprietary information or trade secrets, especially to foreign governments and their agents. Both traditionally friendly nations and recognized adversaries conduct industrial espionage.

Question 9

Foreign Industrial Espionage

Answer 9

Foreign industrial espionage is industrial espionage conducted by a foreign government or a foreign company with direct assistance of a foreign government against a private U.S. company for the purpose of obtaining commercial secrets.

Question 10

Foreign Intelligence Service

Answer 10

Foreign intelligence services are organizations that are part of a foreign government and engage in intelligence activities.

Question 11

Insider

Answer 11

An insider is an adversary who has special access or privileges, e.g., employees, contractors, customers, etc.

Question 12

Terrorist

Answer 12

A terrorist is an adversary who uses violence or the threat of violence to inculcate fear, with the intent to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

Question 13

Types of Adversary collection capabilities

Answer 13

HUMINT (Human Intelligence) is intelligence derived from people through interviews, elicitation, or reports originating from people.
IMINT (Imagery Intelligence) involves using various sources, such as satellites, photos, infrared, imaging radar, and electro-optical, for collecting image data.
MASINT (Measurement and Signatures Intelligence) is intelligence (excluding signals intelligence and traditional imagery intelligence) that, when collected, processed, and analyzed, results in intelligence that locates, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources. It includes the advanced data processing and exploitation of data from overhead and airborne imagery collection systems. MASINT data can be acquired from a variety of satellite, airborne, or ship borne platforms; remotely piloted vehicles; or from mobile or fixed ground-based collection sites.
OSINT (Open Source Intelligence) includes resources such as newspapers, internet, magazines, international conventions, FOIA requests, seminars, and exhibits (e.g., CNN.com, The New York Times, Aviation Week, and Space & Technology).
SIGINT (Signals Intelligence) is comprised of communications and the electronic and telemetry
collection of information in the non-visible portion of the electromagnetic spectrum.
“Covert” refers to an operation planned and executed to conceal the identity of, or permit plausible denial by, the sponsor. A covert operation is similar to law enforcement’s undercover operation.
“Overt” refers to an operation conducted openly to acquire information via the public domain.

Question 14

Critical Threat

Answer 14

A critical rating indicates that a definite threat exists against the assets. This rating is based on
knowledge that the adversary has both the capability and intent to launch an attack, and that the
subject or similar assets are targeted on a frequent or recurring basis.

Question 15

High Threat

Answer 15

A high rating indicates that a credible threat against the assets exists. This rating is based on
knowledge of the adversary’s capability and intent to attack the assets as well as on related
incidents having taken place at similar facilities.

Question 16

Medium Threat

Answer 16

A medium rating indicates there is a potential threat to the assets. This rating is based on the
adversary’s desire to compromise the assets and the possibility that the adversary could obtain
the capability through a third party who has demonstrated the capability in related incidents.

Question 17

Low Threat

Answer 17

A low rating indicates little or no credible evidence of capability or intent with no history of
actual or planned threats against the assets

Question 18

Vulnerability Areas

Answer 18

1. Equipment
2. Facility
3. Human
4. Information
5. Operational

Question 19

The best method to analyze asset vulnerabilities with existing countermeasures is through _________________

Answer 19

Regressive analysis. Regressive analysis requires analyzing the asset in an unprotected state first and then analyzing the asset considering the current countermeasures.

Question 20

5-steps to complete regressive analysis

Answer 20

1. Assess the asset’s vulnerabilities as if they were in a pure, unprotected state.
2. Reevaluate the asset’s vulnerabilities taking into consideration the effectiveness of the
   existing countermeasures.
3. Identify the asset’s vulnerability differences between the unprotected and protected.
4. Identify the ineffective countermeasures.
   assessments.
5. Identify and characterize the specific vulnerabilities that still exist, given the current
   countermeasures.

Question 21

Name Procedural Countermeasures

Answer 21

• Awareness Programs
• Disclosure Statements
• Legal Prosecution
• Paper Shredder
• Personnel Transfer
• Polygraph, Cover Procedures
• Response Planning
• Security Investigations
• Security Policies & Procedures
• Training, OPSEC Procedures

Question 22

Name Equipment Countermeasures

Answer 22

• Alarms/Sensors
• Badges
• Weapons
• Doors, Vaults
• Fences, Safe Havens
• Hardware/Software
• Lighting, CCTV
• Locking Mechanism
• TEMPEST Devices
• Window Bars

Question 23

Name Manpower Countermeasures

Answer 23

• Contractor Guard Force
• Local Guards
• Military Guards
• Special Police Officers

Question 24

Critical Vulnerability

Answer 24

A critical rating indicates that there are no effective countermeasures currently in place and all
known adversaries would be capable of exploiting the asset.

Question 25

High Vulnerability

Answer 25

A high rating indicates that, although there are some countermeasures in place, there are still
multiple weaknesses through which many adversaries would be capable of exploiting the asset.

Question 26

Medium Vulnerability

Answer 26

A medium rating indicates that there are effective countermeasures in place; however, one
weakness does exist which some known adversaries would be capable of exploiting.

Question 27

Low Vulnerability

Answer 27

A low rating indicates that multiple layers of effective countermeasures exist and few or no
known adversaries would be capable of exploiting the asset.

Question 28

Risk =

Answer 28

Impact x (Threat x Vulnerability) or (R = I [T x V])

Question 29

Critical Risk

Answer 29

A critical rating indicates that compromise to the assets targeted would have grave consequences
leading to loss of life, serious injury, or mission failure.

Question 30

High Risk

Answer 30

A high rating indicates that a compromise to assets would have serious consequences resulting in
loss of classified or highly sensitive data that could impair operations affecting national interests
for a limited period of time.

Question 31

Medium Risk

Answer 31

A medium rating indicates that a compromise to the assets would have moderate consequences
resulting in loss of confidential, sensitive data or costly equipment/property that would impair
operations affecting national interests for a limited period of time.

Question 32

Low Risk

Answer 32

A low rating indicates that there would be little or no impact on human life or the continuation of
operations affecting national security or national interests.

Question 33

Acceptable Risk

Answer 33

An asset’s acceptable risk cannot be determined by a formula. Acceptable risk varies with time,
circumstances, and management’s attitude toward risk in the organizational environment. The
asset sponsors or owners have the responsibility of deciding what constitutes an acceptable level
of risk for their assets.

Question 34

The costs of implementing countermeasures must be considered relative to:

Answer 34

Dollars: When determining the dollar cost of a countermeasure, consider the purchase price and
the life-cycle maintenance costs (e.g., installation, preventive maintenance, repair/warranty,
replacement, and training).
Inconvenience: When determining the cost of a countermeasure in terms of inconvenience,
consider whether the inconvenience caused is offset by the measure of risk reduction gained. If a
countermeasure is inconvenient, people will find a way to circumvent it.
Personnel: When determining the cost of a countermeasure in terms of the personnel required
for its implementation, consider the number of personnel needed to manage the countermeasure
as well as the skills, knowledge, and abilities of the personnel involved. Additionally, personnel
training needs/costs must be considered.
Time: When determining the cost of a countermeasure in terms of time, include the time to
implement or oversee the countermeasure and the time to prepare for its implementation, as well
as any time required for follow-up and evaluation.
Other: When determining the cost of a countermeasure in terms of any other influences,
consider the adverse publicity, political repercussions, reduced operational efficiency, and
unfavorable working conditions resulting from its implementation.