Week 1

Question 1

Risk assessment steps

Answer 1

Risk assessment: determine likelihood and impact

• Risk mitigation: avoid, reduce, transfer, accept
• Communication and consultation
• Monitoring and review

Question 2

Information security concerns

Answer 2

Confidentiality
Integrity
Availability

Question 3

CIA: Confidentiality

Answer 3

Preserving authorised restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Question 4

CIA: Integrity

Answer 4

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

Question 5

CIA: Availability

Answer 5

Ensuring timely and reliable access to and use of information

Question 6

CIA: Auditability

Answer 6

Ensuring that evidence of all crucial transactions is stored reliably for auditing purposes

Question 7

Risk assessment Refsdal

Answer 7

Step 1: Context establishment
Step 2: Risk identification
Step 3: Risk analysis
Step 4: Evaluation
Step 5: Risk treatment

Question 8

Information Security as a process: Being in control

Answer 8

Plan Do Check Act

Question 9

Security controls

Answer 9

• Organisational: functional, role, task (SoD)
• Procedural: verification, workflow
• Technical: basic security (separate networks, firewalls, routers, encryption techniques), access control, logging and monitoring

Question 10

Access control

Answer 10

• Identification: unique way of identifying an entity (e.g. login)
• Authentication: proof of identity (e.g. password)
• Authorization: rights (read, write, execute) of person in role
• Nonrepudiation: receiver can’t deny receipt of message

Question 11

Access control

Answer 11

• Identification: unique way of identifying an entity (e.g. login)
• Authentication: proof of identity (e.g. password)
• Authorization: rights (read, write, execute) of person in role
• Nonrepudiation: receiver can’t deny receipt of message

Question 12

Resilience

Answer 12

Ability of assets, networks and systems to anticipate, absorb, adapt to (i.e. respond) and/or recover from a disruptive event or circumstance

Question 13

Systematic risk

Answer 13

is the risk of having not just statistically independent failures, but interdependent, so-called ‘cascading’ failures in a network of N interconnected system components (Helbing 2013; p 51)

Question 14

Hellbing writes

Answer 14

To cope with hyper-risks, it is necessary to develop risk competence and to prepare and exercise contingency plans for all sorts of possible failure cascades. […]. The aim is to attain a resilient (‘forgiving’) system design and operation. (Helbing p 55)