Risk Management Concepts Flashcards
Mock Test Revision
Risk Register
A risk register is a structured document used in risk management to identify, assess, and mitigate potential threats to an organization. It catalogs risks (cyber, operational, financial), their probability/impact, mitigation strategies, and assigned owners. Essential for compliance (ISO 27001, NIST) and proactive security governance.
A calculation of SLE is an example of:
A. Quantitative risk assessment
B. Ad hoc risk assessment
C. Qualitative risk assessment
D. Recurring risk assessment
Quantitative risk assessment is a data-driven approach to risk management that quantifies threats in monetary terms, probabilities, and frequencies. It uses statistical models (e.g., ALE, ROI calculations) to prioritize mitigations based on financial impact. Common in insurance, cybersecurity budgets, and critical infrastructure protection. Contrasts with qualitative methods (e.g., “High/Medium/Low” ratings).
Assessment of risk probability and its impact based on subjective judgment falls into the category of:
A. Risk Acceptance
B. Quantitative Risk Assessment
C. Risk Tolerance
D. Qualitative Risk Assessment
Qualitative risk assessment is a non-numerical method of evaluating risks based on subjective criteria (e.g., likelihood, impact) using scales like “Low/Medium/High.” It prioritises threats through expert judgment, workshops, or risk matrices, often used when empirical data is limited. Common in agile projects, startups, and emerging threat analysis.
Which of the following answers refers to a risk assessment conducted for a specific purpose or project, without plans for regular reassessment (e.g., risk assessment for a new product launch)?
A. One-time
B. Recurring
C. Ad hoc
D. Continuous
A one-time [thing] is a security mechanism designed for single-use, eliminating reuse risks inherent in static credentials. Common implementations include OTPs (TOTP/HOTP), ephemeral URLs, and cryptographic one-time pads. Provides robust protection against replay attacks but requires safeguards against interception (e.g., phishing).
Which of the following answers refers to a risk assessment method based on need, typically conducted in response to specific events or changes, such as after a major organisational change or a security breach?
A. Ad hoc
B. Recurring
C. One-time
D. Continuous
Ad hoc describes a temporary, improvised solution or system created for a specific immediate need, without long-term planning. In IT, it often refers to peer-to-peer networks (e.g., wireless ad hoc modes) or unplanned workarounds. While flexible, ad hoc approaches often lack scalability/security, requiring later formalisation.