Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Project Management1 > Risk Part1 > Flashcards

Risk Part1 Flashcards

1
Q

General

A

applies to systems and software over its lifecycle. Our focus is risks relating to software engineering project management, however the scope of ISO16085 is wider as it covers the entire lifecycle of systems and software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Information Security Risk Management - application security

A

Focus on development of insecure applications as a project management risk. The scope of ISO27034-5 is wider, as for example it encourages the establishment of libraries of reusable application security functions that may be shared both within and between organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Management Process

A

The process includes context establishment, risk assessment, risk treatment, risk acceptance, risk monitoring, and communication. These steps are relevant in various fields, including software engineering and project management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Residual Risk

A

the portion of risk that remains after implementing controls or countermeasures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk Assessment

A

process of identifying risks to operations, assets, individuals, organizations etc resulting from the operation of a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Risk Identification

A

Finding, Recognizing and describing risk (NIST def.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk Estimation

A

Assigning values to the probability and consequences of a risk, enabling the calculation of risk exposure (ISO/IEC27005)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Risk Evaluation

A

Comparing risk analysis results to criteria to determine whether risk is acceptable or tolerable (NIST).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Estimation

A

Involves assigning values to the probability and consequences of a risk. This allows calculation of risk exposure: Risk Exposure (RE) = Risk Probability x Risk Impact.
The units for Risk Exposure and impact may be monetary or other quantifiable measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Mapping of Risks on a Risk Matrix

A

The values assigned to Risk Probability and Risk Impact are used to plot risks on a risk matrix. This helps to categorize risk based on their severity and likelihood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Listing of Risks in a Risk Register

A

A risk register contains a list of organizational risks, identified by the following attributes:
- Unique identifier
- Description of the Risk
- Impact in monetary terms
- Probability
- Risk Rating (meaning the RE)
- Risk Owner (Ideally and individual)
- Dates of risk identification
- Actions being taken
- Owner of actions being taken
- Date for completion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Appetite

A

level of risk that an organization will tolerate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk Acceptance - Governance

A

the risk is accepted by the information owner, not the CISO. Same in SE Project Management. It is usually the risk owner who decides how to manage risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk acceptance can happen because

A
  • It can be temporary, because the organization plans to address the risk in the future
  • It can be because the cost of addressing the risk is higher than the cost of risk materialization
  • It can be because the risk is below the organization’s risk appetite
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Qualitative Risk Assessment

A
  • Risk Exposure = Risk Probability x Risk Impact
  • Evaluates risk without relying on precise probabilities or values, often comparing similar risks
  • Useful for risks that are hard to quantify.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Quantitative Risk Assessment

A
  • Converts risk into measurable financial metrics: Risk = probability x impact
  • Common Metrics Include:
  • Single Loss Expectancy
  • Annualized Rate of Occurrence
  • Annualized Loss Expectancy
17
Q

Single loss expectancy

A

Expected financial loss per event, calculated as SLE = Asset Value x Exposure Factor.

18
Q

Annualized rate of occurance

A

Estimated yearly frequency of threat.

19
Q

Annual Loss Expectancy

A

Expected annual financial loss. ALE = ARO*SLE.

20
Q

Problems with Quantitative Risk Assessment

A
  • Difficult to assess high-impact and low-probability events
  • People are not very good at assessing low probabilities
  • Different people will evaluate differently
  • Difference of factors of 10 or 100 are common ex. Probability of crash is 1 in 100000
  • Large error factors can cause events that are not really high risk to dominate the calculation (overestimate of probability) or events that are high risk to be ignored (underestimation of probability or impact)
21
Q

Comparing Approaches

A

Qualitative Risk Assessment
- Useful when justifying investment in one control vs another unrelated control.
- Useful when it isn’t possible to obtain reliable data.

Quantitative Risk Assessment
- Useful to support a business case for justifying financial investment.
- Probabilities can be hard to establish accurately
Single Loss Expectancy dependent on having known values

Project Management1 (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions