Risk Management Flashcards

1
Q

Terminology -
Threat
Vulnerability
Likelihood and impact
Countermeasures
Gap analysis

A
  • Threat: Anything that has the capacity to carry out malicious activity on things we want to protect
  • Vulnerability: Anything that allows the threat to execute its attack – ones you have a threat and vulnerability then you must determine the risk by looking at the likelihood and impact
  • Likelihood and impact: How likely is it to happen and how much impact will it have? Likelihood constantly changes as tools evolve and become available on the internet – so you must monitor the world for events that changes the threat profile. You have to do things like purchase threat feeds to monitor new tools that are becoming available. For impact, most companies look at the monetary aspect, but that depends on the organization - a hospital may look at impacts to operations, and therefore, the lose of life.
  • Countermeasures/safeguard: These are measures that we take to mitigate the vulnerability from being exploited – they may be policies, procedures, and technical measures.
  • Gap analysis: How you identify and close the gap between the risk and the existing countermeasures in the most efficient and cost-effective ways possible
    o The process is complex
    o You first identify the gap between the level of risk and countermeasure
    o What part of the risk does your countermeasure not address
    o Once you know that gap, you go about closing the gap in the most cost effective way possible
     New and improved countermeasures
     Deciding which are the best approach
     Comparing and selecting vendor products
     Negotiating contract, price, and licensing
     Implementing the selected countermeasures
     Performing metric measurements to determine fi the countermeasures are as effective as you hoped
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Management in practice:
Asset identification
Asset valuation
Threat analysis:
Vulnerability analysis
Likelihood
Impact
Gap analysis
Countermeasure identificaiton

A
  • Asset identification: what are you trying to protect – what is the most valuable assets you want to protect both tangible (laptops) and non-tangible (reputation… etc, more difficult to quantify)
  • Asset valuation: How much do you value the asset – every dollar you spend on an asset devalues the asset (if something costs a million dollars and you spend a million dollars to protect it, then the asset is worth nothing)
  • Threat analysis: What are the threats and dangers to the assets?
  • Vulnerability analysis: Which one of those threats can cause problems?
  • Likelihood: How likely are those threats to happen? This changes overtime
  • Impact: If/when they do happen, how bad will it be?
  • Gap analysis: Is there a gap between the problem and our protections? If so, how do we close the gap in the most efficient and most cost-effective way possible?
  • Countermeasure identification: How can we most effectively close the gap?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Legal Obligation - Prudent Person Rule

A
  • Prudent person rule: there are legal obligations to ask whether the organization acted as a prudent person in protecting an asset
    o Due diligence: did they implement best practices considered prudent
    o Due care: actions that a reasonable person would exercise to protect assets
  • Can a senior manager convince a judge that they followed the prudent person rule?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Quantitative Risk Management
Asset Value
Exposure factor
Single loss expectancy
Annual rate of occurrence
Annual loss expectancy

A
  • Quantitative deals with the quantity of dollars
    o A number of calculations are necessary to determine the appropriate expenditures for countermeasures.
    o Asset value
    o Exposure factor: The percentage of the asset value lost if a particular risk is realized. How much would you lose if the bad thing happened?
    o Single Loss Expectancy: How much will it cost each time the threat happens? If you take the asset value times the exposure factor you have the single loss expectancy. E.g., 500,000 (AV) x 10% (EF) = 50,000 (SLE)
    o Annual rate of occurrence: How often do you expect a threat to occur? 2.0 twice a year, 1.0 once a year, 0.5 every other year, 0.2 every 5 years, 0.1 every 10 years, 0.05 every 20 years. Of course you can’t predict the future but you can make the best informed decision possible.
    o Annual loss expectancy: this is the number we have been working towards. It is the single expectancy annualized. You calculate it by taking the SLE and times the ARO. You could show that if something is going to cost you 10k a year you can justify spending up to that amount to prevent the loss.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Qualitative delphi method

A

o Qualitative approach places risk into severity scales, instead of a million dollar threat, you have a level 10 threat.
o Delphi method: Interactive forecasting methodology relying SMEs who use a numeric scale to rate the likelihood and severity of each threat. This process can continue more than one round until the goal of consensus is reached.
o This is for prioritization – we want to focus on threats with higher numbers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Countermeasure areas vs types

A
  • Part of the risk management process is determining the lowering the risk to the organization. There are control areas and control types.
  • Control areas are:
    o Administrative controls – policy procedure, standards, guidelines, and compliance, awareness training
    o Technical controls – firewalls, AV, encryption
    o Physical controls – guns, gates, locks, fences, CCTV, heating, HVAC – limiting physical access
  • Control types:
    o Prevent: authentication, firewalls
    o Detective: logging/auditing, IDS
    o Response: Incident response plans, backup/recovery capability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk strategies
- Risk mitigation, avoidance, deterrence, acceptance, transference, and ignorance

A
  • We have looked at identifying our level of risk, now let’s look at the possible management decisions regarding that risk. They may decide to do the following:
    o Risk mitigation: you need to implement countermeasures to mitigate the level of risk
    o Risk avoidance: stop the activity that causes the risk – windows has viruses, let’s use Mac
    o Risk deterrence: we will detect wrongdoing and take swift, decisive, and harsh action – firing employees for inappropriate use of systems/resources
    o Risk acceptance: You mitigate, avoid, and deter as much as possible, but there is some residual risk left over – some risks cannot be mitigated at any cost – risk/reward eventually it gets to the point where spending more doesn’t make sense
    o Risk transference: take the residual risk and transfer it to an insurance company – cyber insurance
    o Risk ignorance: Management in small companies don’t believe they are big enough to attract attention, however, for that reason they are targeted more.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly