Risk Management Flashcards
What is the definition risk in regards to cybersecurity?
A probability that a threat will be realized
What is a vulnerability in regards to cybersecurity
Weakness in design or implementation of a system
What is a threat in regards to cybersecurity?
A condition that could cause harm, loss, damage or compromise IT systems
where does risk fit in with threat and vulnerability
Risk lives between threat and vulnerability
What is risk avoidance? Give an example….
Stopping the activity that has the risk or choosing an alternative
Example: your office computers run on outdated Windows XP. You either take those computers offline or upgrade to a current (more secure) OS
What is risk transfer? Give an example…
Passing the risk to a third party.
Example: Getting insurance
What is risk mitigation? Give an example…
Seeking to minimize the risk to an acceptable level
Example: Regularly scan and take inventory of your network devices and software. Remove unnecessary or unexpected hardware and software from the network.
What is risk acceptance? Give an example…
Accepting the current level of risk and the costs associated with it
Example: Keeping legacy systems active if they are not connected to sensitive data environments. Allowing employees to connect their own devices to an organization’s networks if traffic from these devices is segmented from sensitive networks.
What is usually the deciding factor in risk acceptance
Cost
What is residual risk ?
What is leftover after avoiding, transferring and mitigating the risk
What are the risk assessment steps?
- Identify assets
- Identify vulnerabilities
- Identify threats
- Identify the impact of the risk
What is qualitative risk?
Using intuition, experience, judgement and other non-numerical and non-monetary methods to assign a relative value to risk
What is the critical factor in qualitative analysis?
Experience since it is highly subjective
What is quantitative risk?
Using numerical and monetary values to calculate risk
What is the magnitude of impact?
An estimate of the amount of damage that a negative risk might achieve