Risk Management

Question 1

What are the four possible outcomes of threats?

Answer 1

1. Interception: unauthorised access to asset, such as copying data or stealing a password.
2. Interruption: an asset becomes unavailable, such as destroying hardware devices or corrupting a file.
3. Modification: tampering with an asset, such as changing the values in a database.
4. Fabrication: creation of new objects in a computer system, such as adding records to a database or creating a trapdoor.

Question 2

What are four responses to risks?

Answer 2

1. Avoid it completely by withdrawing from an activity.
2. Accept it and do nothing.
3. Reduce it with security measures/controls such as prevention, detection, reaction/recovery.
4. Insurance.

Question 3

Are people good at assessing risks?

Why/why not? (5)

Answer 3

No.
Don’t assess probabilities correctly.

Overestimate currents threats or have affected other people/organisations they know.

Underestimate threats they believe doesn’t apply to them.

Forget about risks introduced by countermeasures/security measures.

Shift of risk to other assets/stakeholders - not realising that risk remains in the system.

Question 4

What makes up the economical model of risk and how do you measure estimates of loss and expected loss with no security?

Answer 4

Model:
L = loss: value of potential loss.
T = threat: probability of attack.
V = vulnerability: probability that attack will succeed, if it happens.
VT = probability of a successful attack.

Risk estimates:
Loss = L * T

Expected loss with no security:
V * L = VT * L