Your Momma - Chapter 1

In the ALE formula, "Impact" is measured in dollars. If the value of "I" is 7, what is the monetary impact? - 3 a. 10,000,000 b. 1,000,000 c. 10,000 d. 100,000,000

a. 10,000,000

Any option or strategy employed for risk mitigation must be evaluated in terms of: -- 16 a. Availability, affordability, and feasibility of application to operations b. Expectations and performance c. Cost versus performance d. Effectiveness

a. Availability, affordability, and feasibility of application to operations

What do the subscript "b" and "a" reference in the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value. - 5 a. Before and After b. Brought and Actual c. Briefing and Address d. Broken and Avid

a. Before and After

What term refers to the area where resources around an explosive device will be damaged by the blast? - 19 a. Blast vulnerability envelope b. Blast radius c. Blast damage estimate d. Ground zero

a. Blast vulnerability envelope

What are two tools used for quantifying threat probability? - 12-13 a. CARVER method and matrix b. ALE Matrix and c. CARVER and Threat Matrix d. Threat Matrix and Adversary Sequence Diagram

a. CARVER method and matrix

In the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value, what do the letters D, P, and S stand for? - 4 a. Damage, Prevention, and Success b. Damage, Prevention, and Security c. Damage, People, and Services d. Damage, Prevention, and Shutdown

a. Damage, Prevention, and Success

What is the purpose of an Adversary Sequence Diagram? - 15 a. Determine the timeline required for an adversary to breach security b. Determine the effectiveness of countermeasures c. Determine the location of assets d. All are purposes of the Adversary Sequence Diagram

a. Determine the timeline required for an adversary to breach security

Which of the following factors is not considered when determining risk? - 2 a. Location b. Value of an asset c. Threats or hazards d. Vulnerability

a. Location

As a minimum, how often should risk assessments be reassessed? - 18 a. Once a year, or if major changes to the organization or process occur b. Every five years, or if major changes to the organization or process occur c. No time frame exists, , only if major changes to the organization or process occur d. Semi-annually, or if major changes to the organization or process occur

a. Once a year, or if major changes to the organization or process occur

What are the five recurring steps to risk assessment using the RAM methodology? - 7 a. Planning, Threat Assessment, Facility Characterization, System Effectiveness, Risk Analysis b. Purpose, Objectives, Design Basis Threat, Risk, and Upgrades c. Review, Plan, Execute, Commission, Repeat d. Determine Risk, Calculate Likelihood, Determine Benefit, Analyze Risk, Implement

a. Planning, Threat Assessment, Facility Characterization, System Effectiveness, Risk Analysis

In basic terms, ALE is calculated by multiplying which two factors? - 3 a. Probability and value of potential loss b. Likelihood and frequency c. Frequency and probability d. Risk and likelihood

a. Probability and value of potential loss

Which one of the approaches to risk assessment relates to the number of something, cable of being measured or expressed in numerical terms? - 3 a. Quantitative b. Asset c. Scenario d. Qualitative

a. Quantitative

All approaches to risk assessment essentially break down into two groups. What are they? a. Quantitative and Qualitative b. Asset and Scenario c. Goals and Objectives d. None of the above

a. Quantitative and Qualitative

Which risk mitigation strategy has the lowest cost? - 16 a. Risk Assumption b. Risk Elimination c. Risk Avoidance d. Risk Limitation

a. Risk Assumption

What are defined as intent of damage or injury; an indication of something impending? - 10 a. Threats b. Hazards c. Risks d. Potential Loss

a. Threats

83. Internal dampening is used to absorb some OR all of the impact from a blast. -20 a. True b. False

a. True

A Consequence Matrix will assist in assessing what the risks may be and what countermeasures might be effective at different levels of risk. - 17 a. True b. False

a. True

A consequential event is one where, through a relationship between events or between two different organizations, the company suffers some type of loss as a consequence of that affiliation. - 11 a. True b. False

a. True

A properly performed risk analysis will highlight areas in which greater OR lesser security is needed. - 2 a. True b. False

a. True

A sacrificial roof is one that can be lost in a blast without damage to the primary asset. - 20 a. True b. False

a. True

Ductile materials are malleable and will absorb impact loads without breaking. - 19 a. True b. False

a. True

Non-crime related threats can be either natural or "human made." a. True b. False

a. True

Probability is a measure of the number of outcomes in an exhaustive set of equally like outcomes that produce a given event to the total number of possible outcomes. - 3 a. True b. False

a. True

Risk analysis is a process to identify asset values, threats, and vulnerabilities to ascertain risks. - 1 a. True b. False

a. True

The acronym NPV stands for "net present value." It is used to determine the overall cost (C) to implement a recommendation by multiplying it against operating cost (OC) and adding installation cost (IC). - 6 a. True b. False

a. True

The first task to perform during a risk assessment is to perform an asset value assessment. - 1 a. True b. False

a. True

The qualitative approach to risk assessment is by far the most widely used approach to risk analysis? - 6 a. True b. False

a. True

The term Nuclear, Biological, or Chemical (NBC) Weapons is synonymous with Weapons of Mass Destruction (WMD)? -20 a. True b. False

a. True

FEMA's asset valuation methodology uses a combination of __-level linguistic scale and a __-point numeric scale. - 7 a. 5, 10 b. 7, 10 c. 10, 5 d. 10, 7

b. 7, 10

To perform and NPV calculation, the cost of capital is set to __ percent and the horizon is set at __ years. - 6 a. 7, 5 b. 7,10 c. 10, 5 d. 10,10

b. 7,10

Quantitative Risk Analysis refers to? - 3 a. Characteristics of assets b. Amount or number of something c. Impact of event d. Total cost of recovery

b. Amount or number of something

What is the final step in vulnerability assessment methodology? -14 a. Determine asset value b. Assign a relative value to asset/threat pairs c. Project design and execution d. Policy revision, as required

b. Assign a relative value to asset/threat pairs

What is final step in conducting a security risk analysis? - 18 a. Project funding b. Cost-Benefit analysis c. Auditing the process d. Policy revision, as required

b. Cost-Benefit analysis

What does the acronym CARVER stand for? - 12 a. Criticality, Accessibility, Vulnerability, Environmental Impact, Recoupability b. Criticality, Accessibility, Vulnerability, Effects, Recognizability c. Criticality, Asset Value, Vulnerability, Environmental Impact, Recognizability d. Criticality, Asset Value, Vulnerability, Effects, Recoupability

b. Criticality, Accessibility, Vulnerability, Effects, Recognizability

A security assessment may be implemented without first identifying the assets to be protected. - 2 a. True b. False

b. False

ALE is utilized during qualitative risk analysis. - 3 a. True b. False

b. False

Probability is always precise - otherwise it can promote complacency. - 4 a. True b. False

b. False

Probability of threats is based upon mathematical certainty. - 12 a. True b. False

b. False

The RAM methodology is considered a qualitative, "consequence-driven" approach to risk assessment. - 6 a. True b. False

b. False

The intent of risk management is to eliminate risk to a facility. - 15 a. True b. False

b. False

When selecting risk mitigation options, all identified risks should be addressed. - 16 a. True b. False

b. False

What should be the primary consideration when determining which risk mitigation strategy to employ? - 16 a. Cost b. Goals and mission of the organization c. Countermeasures d. Adversaries

b. Goals and mission of the organization

What are defined as a source of potential danger or adverse condition? - 10 a. Threats b. Hazards c. Risk d. Natural Disasters

b. Hazards

What is the end result of risk analysis? - 1 a. Determine potential costs for recovery b. Identify threat mitigation options and select measures that provide greatest benefit c. Assess vulnerabilities to assets d. Assess potential threats and determine the countermeasures required

b. Identify threat mitigation options and select measures that provide greatest benefit

In the ALE formula: ALE = 10 (f+i-3)/3, "i" and "f" stand for? - 3 a. Incident, Frequency b. Impact, Frequency c. Integer, Frequency d. Implication, Frequency

b. Impact, Frequency

Which of the following is not considered when valuing assets? - 9 a. Replacement costs b. Location c. Impact on reputation d. Existence of backups

b. Location

What is defined as a list of the kinds of threats affecting the asset to be safeguarded? - 10 a. ALE matrix b. Loss Event Profile c. Vulnerability Model d. Asset Value Table

b. Loss Event Profile

When noting frequency using the ALE formula, values are rated from 1-8 with 1 being the ____ frequency of occurrence. - 4 a. Highest b. Lowest c. Average d. Absolute

b. Lowest

Loss or damage of the assets that would have serious consequences, such as serious injuries or impairment of core processes and functions for an extended period of time is defined as? - 7 a. High b. Medium High c. Medium d. Medium Low

b. Medium High

Which of the following is an "indirect cost?" - 9 a. Increased insurance premiums or deductibles b. Negative media coverage and long-term negative consumer perception c. Management time d. Punitive damages

b. Negative media coverage and long-term negative consumer perception

Who is responsible for identifying vital equipment located at facilities? a. Security b. Operations c. Safety d. Risk

b. Operations

When quantifying threat probability, each asset is compared against different threat scenarios using a technique called _____. - 13 a. CARVER matrixing b. Pair-Wise Comparison c. Threat-Pair Evaluation d. None of the above

b. Pair-Wise Comparison

______ can be defined as the potential for loss or damage to an asset. - 1 a. Threats b. Risk c. Countermeasures d. Attack probability

b. Risk

Site hardening is one risk mitigation strategy. Which of the following is not? - 16 a. Risk Assumption b. Risk Elimination c. Risk Avoidance d. Risk Limitation e. Risk Transference

b. Risk Elimination

Which risk mitigation strategy has the highest cost? - 16 a. Risk Elimination b. Site Hardening c. Risk Limitation d. Risk Transference

b. Site Hardening

Which of the following does not represent one of the three distinct categories of threats? - 11 a. Crimes b. Terrorist c. Non-crimes d. Consequential events caused by relationships with other organizations

b. Terrorist

What is the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value calculate? - 4 a. The likelihood of an incident occurring b. The expected risk or potential damage to an asset before security is implemented c. The time required to recuperate from an event d. The cost to secure an asset

b. The expected risk or potential damage to an asset before security is implemented

While financial cost is often a factor when selecting safeguards, what is a more common consideration? - 17 a. Whether a timeframe for compliance exists b. Whether it will interfere with the operation of the enterprise c. Whether it conflicts with union agreements d. All of these should factors should be examined

b. Whether it will interfere with the operation of the enterprise

What scale does FEMA use to assign relative values based on likelihood? - 8 a. 1-5 b. 1-7 c. 1-10 d. 1-4

c. 1-10

There are __ levels in FEMA's asset valuation linguistic scale with ___ being very low. - 7 a. 10, 1 b. 10, 10 c. 7, 1 d. 7, 10

c. 7, 1

The acronym ALE stands for? - 3 a. Average Loss Expectancy b. Annual Liability Exponent c. Annual Loss Expectancy d. Average Loss Exponent

c. Annual Loss Expectancy

Subtracting Db from Da will give you B. B stands for what? - 6 a. Breakdown b. Bonus c. Benefit d. Backup

c. Benefit

Which of the following should not be considered when selecting countermeasures? - 17 a. Individual countermeasures and security system effectiveness based on adversary and threat b. Different levels of effectiveness of countermeasures based on differing threat c. Different security systems based on the availability of threat information d. Increased levels of effectiveness of countermeasures based on the sophistication of threats

c. Different security systems based on the availability of threat information

Which of the following may be both a natural or human-made disaster regarding non-crime related events? - 11 a. Earthquakes b. Lighting strikes c. Fires d. Tidal Waves

c. Fires

82. Which of the following is not considered an Electronic Security System? - 20 a. IDS b. AECS c. GIS d. CCTV

c. GIS

What is the key to performing an asset value assessment? - 8 a. Records review b. Prior SVA results c. Interviewing stakeholders d. Internal audits

c. Interviewing stakeholders

Which method should be used when the practitioner has very good data regarding the actual cost of the loss or impact of a threat event and the frequency with which the threat will occur? - 3 a. ALE b. Qualitative c. Quantitative d. Impact versus Consequence

c. Quantitative

What are the two ways to establish values for assets? - 10 a. ALE and Qualitative b. Direct and Indirect c. Relative and Cost-of-Loss d. Threats and Hazards

c. Relative and Cost-of-Loss

What organization developed the Risk Assessment Methodologies (RAM) in 2002? - 6 a. API-NPRA b. CSSI c. Sandia Corporation d. DHS

c. Sandia Corporation

Which of the following is not considered an adversary action? a. Deceit b. Stealth c. Surveillance d. Force

c. Surveillance

Risk management incorporates and understanding of the _____ of assets to the consequences of _____ and hazards. - 15 a. Cost, Recoupability b. Risks, Likelihood c. Vulnerability, Threats d. Purpose, Inaction

c. Vulnerability, Threats

The linguistic level scale used for FEMA's asset valuation methodology classifies "High" as? - 7 a. 10 b. 9-10 c. 9 d. 8-9

d. 8-9

Which of these is NOT analyzed during a risk assessment? - 1 a. Asset values and threats b. Probability and consequences c. Vulnerabilities and risk d. All are analyzed.

d. All are analyzed.

Which factor is not considered when determining whether a loss risk even may occur? - 12 a. Historical data b. Makeup of the neighborhood and geographic location c. Political, social, and economic conditions d. All are factors of consideration

d. All are factors of consideration

What are the problems with employing quantitative risk analysis? - 3 a. Availability of data b. Inaccuracy of collected data regarding cost c. Inaccuracy of determining the probability of threats occurring d. All are problems with this type of analysis

d. All are problems with this type of analysis

Vulnerability is defined as? - 13 a. Any weakness that can be exploited by an aggressor b. To make an asset susceptible to damage from natural hazards c. To make an asset susceptible to damage from consequential events d. All of the above

d. All of the above

Which of the following is not a benefit of using the RAM methodology? - 6 a. Helps identify system components that are critical for the system to function b. Helps prioritize security upgrades or modify practices c. Offers companies a way to develop balanced security protection systems d. All of the above

d. All of the above

Which of the following must be understood in order to determine asset criticality? - 8-9 a. Define and understand the company's primary business functions and process b. Identify site and building infrastructure and systems c. Identify the company's critical tangible and intangible assets d. All of the above

d. All of the above

Which of the following is not true regarding assets? - 8 a. It is a resource of value requiring protection b. Can be anything you want to protect because of its value c. Can be tangible or intangible d. All of the above are true

d. All of the above are true

Terrorist acts may be classified into what category? - 11 a. Human-made disasters b. Crime Related Threats c. Consequential Events d. Both A& B

d. Both A& B

A Threat Matrix measures: - 13 a. Likelihood Versus Risk b. Risk Versus Impact c. Impact Versus Likelihood d. Consequences Versus Probability

d. Consequences Versus Probability

Probability is expressed as? - 3 a. A percentage b. A ratio c. An average d. Either a percentage or ratio

d. Either a percentage or ratio

Which of the following is not a type of countermeasure control? - 19 a. Preventative b. Corrective c. Detective d. Mitigating

d. Mitigating

Which of the following sources does not have data on natural disasters? - 11 a. FEMA b. USGS c. National Weather Service d. NIBR

d. NIBR

Which method to risk assessment is used when the practitioner has very good data relating to the actual cost of the loss or impact of a threat event and the frequency with which the threat will occur? - 3 a. Asset b. Scenario c. Qualitative d. Quantitative

d. Quantitative

Which of the following is not a source of data for criminal events? - 11 a. Local polices and UCR crime reports b. Internal records of incidents c. Demographics and social condition data d. These are all sources of data for criminal events

d.These are all sources of data for criminal events

Which of the following factors is used to determine whether an asset is vulnerable? - 14 a. Lack of redundancy and single points of failure b. Co-location of critical systems, organization, or components and collateral damage c. Presence of hazmat d. Inadequate security measures and ease of access e. All are factors for consideration

e. All are factors for consideration