Summarize risk management processes and concepts

Question 1

Risk types

Answer 1

External
Internal
Legacy systems
Multiparty
IP theft
Software compliance/licensing

Question 2

External

Answer 2

External threat actors are one highly-visible source of risk. You must also consider wider threats than those of cyber attack. Natural disasters, such as the COVID-19 pandemic, illustrate the need to have IT systems and workflows that are resilient to widespread dislocation. The most critical type of impact is one that could lead to loss of life or critical injury. The most obvious risks to life and safety come from natural disasters, person-made disasters, and accidents, such as fire.

Question 3

Internal

Answer 3

Internal risks come from assets and workflows that are owned and managed by your organization. When reviewing internal risks, it is important to remember that these can be classed as malicious and accidental or non-malicious. Internal threats can include contractors granted temporary access.

Question 4

Legacy systems

Answer 4

Legacy systems are a source of risk because they no longer receive security updates and because the expertise to maintain and troubleshoot them is a scarce resource.

Question 5

Multiparty

Answer 5

Multiparty risk is where an adverse event impacts multiple organizations. Multiparty risk usually arises from supplier relationships. If a critical event disrupts a supplier or customer, then your own organization will suffer. These are often described as ripple impacts. For example, if one of your top five customers goes out of business because of a data breach, your company will lose substantial revenue. Organizations in these supply chain relationships have an interest in promoting cybersecurity awareness and capability throughout the chain.

As an illustration of how risk assessments can change in view of multiparty relationship, consider a company that makes wireless adapters, originally for use with laptops. In the original usage, the security of the firmware upgrade process is important, but it has no impact on life or safety. The company, however, earns a new contract to supply the adapters to provide connectivity for in-vehicle electronics systems. Unknown to the company, a weakness in the design of the in-vehicle system allows an adversary to use compromised wireless adapter firmware to affect the car’s control systems. The integrity of the upgrade process now has an impact on safety, and is much higher risk.

Question 6

IP theft

Answer 6

Intellectual property (IP) is data of commercial value that is owned by the organization. This can mean copyrighted material for retail (software, written work, video, and music) and product designs and patents. If IP data is exfiltrated it will lose much of its commercial value. Losses can be very difficult to recover in territories where there are not strong legal protections.

Question 7

Software compliance/licensing

Answer 7

Breaking the terms of athe end user licensing agreement (EULA) that imposes conditions on installation of the software can expose the computer owner to substantial fines. License issues are most likely to arise from shadow IT, where users install software without change control approval. Network inventory management suites can report software installations on each host and correlate those with the number of license seats purchased. Licensing models can also be complex, especially where virtualization and the cloud are concerned. It is important to train the administrative staff on the specific license terms for each product.

Question 8

Risk management strategies

Answer 8

Acceptance
Avoidance
Transference

Question 9

Acceptance

Answer 9

Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed. In this case, you should continue to monitor the risk (as opposed to ignoring it).

Question 10

Avoidance

Answer 10

Avoidance means that you stop doing the activity that is risk-bearing. For example, a company may develop an in-house application for managing inventory and then try to sell it. If while selling it, the application is discovered to have numerous security vulnerabilities that generate complaints and threats of legal action, the company may make the decision that the cost of maintaining the security of the software is not worth the revenue and withdraw it from sale. Obviously this would generate considerable bad feeling amongst existing customers. Avoidance is not often a credible option.

Question 11

Transference

Answer 11

Cybersecurity insurance

Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. For example, a company could stop in-house maintenance of an e-commerce site and contract the services to a third-party, who would be liable for any fraud or data theft. Specific cybersecurity insurance or cyber liability coverage protects against fines and liabilities arising from data breaches and DoS attacks.

Question 12

Cybersecurity insurance

Answer 12

Transference (or sharing) means assigning risk to a third-party, such as an insurance company or a contract with a supplier that defines liabilities. For example, a company could stop in-house maintenance of an e-commerce site and contract the services to a third-party, who would be liable for any fraud or data theft. Specific cybersecurity insurance or cyber liability coverage protects against fines and liabilities arising from data breaches and DoS attacks.

Question 13

Mitigation

Question 14

Risk analysis

Answer 14

Risk register
Risk matrix/heat map
Risk control assessment
Risk control self-assessment
Risk awareness
Inherent risk
Residual risk
Control risk
Risk appetite
Regulations that affect risk posture
Risk assessment types
Likelihood of occurrence
Impact
Asset value
Single loss expectancy (SLE)
Annualized loss expectancy (ALE)
Annualized rate of occurrence (ARO)

Question 15

Risk register

Answer 15

A risk register is a document showing the results of risk assessments in a comprehensible format.

Question 16

Risk matrix/heat map

Answer 16

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

Question 17

Risk control assessment

Answer 17

A risk and control assessment is the process by which organisations assess and examine operational risks and the effectiveness of controls used to circumnavigate them.

Question 18

Risk control self-assessment

Answer 18

Risk and control self assessment (RCSA) is a process through which operational risks and the effectiveness of controls are assessed and examined. The objective is to provide reasonable assurance that all business objectives will be met.

Question 19

Risk awareness

Answer 19

To ensure that the business stakeholders understand each risk scenario, you should articulate it such that the cause and effect can clearly be understood by the owner of the asset. A DoS risk should be put into plain language that describes how the risk would occur and, as a result, what access is being denied to whom, and the effect to the business. For example: “As a result of malicious or hacking activity against the public website, the site may become overloaded, preventing clients from accessing their client order accounts. This will result in a loss of sales for so many hours and a potential loss of revenue of so many dollars.”

Question 20

Inherent risk

Answer 20

Risk that an event will pose if no controls are put in place to mitigate it.

Question 21

Residual risk

Answer 21

Risk that remains even after controls are put into place.

Question 22

Control risk

Answer 22

Control risk is a measure of how much less effective a security control has become over time. For example, antivirus became quite capable of detecting malware on the basis of signatures, but then less effective as threat actors started to obfuscate code. Control risk can also refer a security control that was never effective in mitigating inherent risk. This illustrates the point that risk management is an ongoing process, requiring continual re-assessment and re-prioritization.

Question 23

Risk appetite

Answer 23

Risk appetite is a strategic assessment of what level of residual risk is tolerable. Risk appetite is broad in scope. Where risk acceptance has the scope of a single system, risk appetite has a project- or institution-wide scope. Risk appetite is constrained by regulation and compliance.

Question 24

Regulations that affect risk posture

Answer 24

Regulatory requirements to deploy security controls and make demonstrable efforts to reduce risk. Examples of legislation and regulation that mandates risk controls include SOX, HIPAA, Gramm-Leach-Bliley, the Homeland Security Act, PCI DSS regulations, and various personal data protection measures.

Question 25

Risk assessment types

Answer 25

Qualitative

Quantitative

Question 26

Qualitative

Answer 26

Qualitative risk assessment avoids the complexity of the quantitative approach and is focused on identifying significant risk factors. The qualitative approach seeks out people’s opinions of which risk factors are significant. Assets and risks may be placed in simple categories. For example, assets could be categorized as Irreplaceable, High Value, Medium Value, and Low Value; risks could be categorized as one-off or recurring and as Critical, High, Medium, and Low probability.

Question 27

Quantitative

Answer 27

Quantitative risk assessment aims to assign concrete values to each risk factor.

Single Loss Expectancy (SLE)—The amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.
Annualized Loss Expectancy (ALE)—The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annualized Rate of Occurrence (ARO).

Question 28

Likelihood of occurrence

Question 29

Impact

Answer 29

Impact is the severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.

Question 30

Asset value

Question 31

Single loss expectancy (SLE)

Answer 31

The amount that would be lost in a single occurrence of a particular risk factor.

Question 32

Annualized loss expectancy (ALE)

Answer 32

The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

Question 33

Annualized rate of occurrence (ARO)

Answer 33

In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

Question 34

Disasters

Answer 34

Environmental
Person-made
Internal vs. external

Question 35

Environmental

Answer 35

An environmental disaster, or natural disaster, is one that could not be prevented through human agency. Environmental disasters include river or sea floods, earthquakes, storms, disease, and so on. Natural disasters may be quite predictable (as is the case with areas prone to flooding or storm damage) or unexpected, and therefore difficult to plan for.

Question 36

Person-made

Answer 36

A person-made disaster event is one where human agency is the primary cause. Typical examples other than devastating cyberscecurity incidents include terrorism, war, vandalism, pollution, and arson. There can also be accidental person-made disasters, such as cutting through power or telecoms cabling.

Question 37

Internal vs. external

Answer 37

An internal disaster is one that is caused by malicious activity or by accident by an employee or contractor—anyone or anything whose presence within the company or organization has been authorized. Internal disaster also encompasses system faults, such as wiring causing a fire. Conversely, external disaster events are caused by threat actors who have no privileged access. External disaster includes disasters that have an impact on the organization through wider environmental or social impacts, such as disruption of public services or impacts to the supply chain.

Question 38

Business impact analysis

Answer 38

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Recovery time objective (RTO)
Recovery point objective (RPO)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Functional recovery plans
Single point of failure
Disaster recovery plan (DRP)
Mission essential functions
Identification of critical systems
Site risk assessment

Question 39

Recovery time objective (RTO)

Answer 39

The length of time it takes after an event to resume normal business operations and activities.

Question 40

Recovery point objective (RPO)

Answer 40

Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected.

Question 41

Mean time to repair (MTTR)

Answer 41

The average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

Question 42

Mean time between failures (MTBF)

Answer 42

The rating on a device or component that predicts the expected time between failures.

Question 43

Functional recovery plans

Answer 43

Because disasters are extreme and (hopefully) rare events, it is very difficult to evaluate how effective or functional a recovery plan is. There are four principal methods for assessing the functionality of recovery plans:

Walkthroughs, workshops, and orientation seminars—often used to provide basic awareness and training for disaster recovery team members, these exercises describe the contents of DRPs, and other plans, and the roles and responsibilities outlined in those plans.
Tabletop exercises—staff “ghost” the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything. These are simple to set up but do not provide any sort of practical evidence of things that could go wrong, time to complete, and so on.
Functional exercises—action-based sessions where employees can validate DRPs by performing scenario-based activities in a simulated environment.
Full-scale exercises— action-based sessions that reflect real situations, these exercises are held onsite and use real equipment and real personnel as much as possible. Full-scale exercises are often conducted by public agencies, but local organizations might be asked to participate.

Question 44

Single point of failure

Answer 44

A component or system that would cause a complete interruption of a service if it failed.

Question 45

Disaster recovery plan (DRP)

Answer 45

A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.

Question 46

Mission essential functions

Answer 46

A business or organizational activity that is too critical to be deferrred for anything more than a few hours, if at all.

Question 47

Identification of critical systems

Answer 47

To support the resiliency of mission essential and primary business functions, it is crucial to perform an identification of critical systems. This means compiling an inventory of business processes and the assets that support them. Asset types include:

People (employees, visitors, and suppliers).
Tangible assets (buildings, furniture, equipment and machinery (plant), ICT equipment, electronic data files, and paper documents).
Intangible assets (ideas, commercial reputation, brand, and so on).
Procedures (supply chains, critical procedures, standard operating procedures).
For mission essential functions, it is important to reduce the number of dependencies between components. Dependencies are identified by performing a business process analysis (BPA) for each function. The BPA should identify the following factors:

Inputs—the sources of information for performing the function (including the impact if these are delayed or out of sequence).
Hardware—the particular server or data center that performs the processing.
Staff and other resources supporting the function.
Outputs—the data or resources produced by the function.
Process flow—a step-by-step description of how the function is performed.

Question 48

Site risk assessment