CH 5 - Risk analysis
Limitations to Quantitative risk assessment?
Accurate data isn't always available, Ensuring that people use the control as expected
A Risk ________________________ is a major component of a risk management plan
Assessment
Quantitative Risk Assessment
Calculates absolute financial values, losses and costs
Qualitative Risk Assessment
Calculates relative values, losses, and costs
Qualitative analysis is more time consuming than quantitative analysis
False
Risk assessments are a continuous process
False
What are the different types of assets
Hardware, Software, Personnel, Data and Information
Why is risk assessment important?
Identifies which systems/assets to protect and gives insight into which controls provide the most value
Critical components of risk assessments
Identify scope of assessment, Identify critical areas, Identify team
Quantitative Risk Assessment Benefits
It becomes a simple math problem, provides cost benefit analysis and helps show accurate values for SLE, ARO, and safeguard values that help calculate CBA
Risk Matrix
Matching Probability and impact
Quantitative Assessment Methods
Objective, Monetary Values, Historical Data, SLE, ARO, ALE
What are some examples of software assets?
Office, inventory management, ERP systems
What are some examples of Data/Information assets?
Operations, Legal/Compliance, Research & Development, Sales Collaterals
What elements are included in a qualitative analysis?
Probability and impact
A ____________________ risk assessment is subjective. It relies on the opinions of experts
Qualitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of ____________ risk assessment is that it can be completed more quickly than other methods
Qualitative
In what order do we need to conduct risk assessment
Qualitative than Quantitative
A ____________________ risk assessment is objective. It uses data that can be verified
Quantitative
A _________________________________ risk assessment uses SLE
Quantitative
You are trying to decide what type of risk assessment methodology to use. A primary benefit of ___________________ risk assessment is that it includes details for a cost benefit analysis
Quantitative
What are the different types of risk assessment?
Quantitative and Qualitative
You are working on a qualitative risk assessment for your company. You are thinking about the final report. What should you consider when providing the results and recommendations
Resource allocation and risk acceptance
What elements are included in a quantitative analysis?
SLE, ALE, ARO
What can you use to help quantify risks?
SLE, ARO, Risk Assessment, Risk Mitigation Plan
What must you define when performing a qualitative risk assessment?
Scales used to define probability and impact
What are some examples of Hardware assets?
Server, router, Switch, Firewall, Hub, Cable, Desktop, Laptop, Workstation, Handheld, CD ROM, DVD, Zip Disk, Scanner, Printers
Of the following, what would be considered a best practice when performing risk assessments?
Start with clear goals and a defined scope, Enlist support of senior management, Repeat the risk assessment regularly, Provide clear recommendations
Limitations to Qualitative risk assessment?
Subjective, NO CBA, No real standards
Qualitative Assessment Methods
Subjective, Word Values, Expert Opinions, Probability and impact
One of the challenges facing risk assessment is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
Uncertainty level
Qualitative Risk Assessment Benefits
Uses the opinions of experts, Is easy to complete, Uses words that are easy to express and understand
Challenges for risk assessment
Using Static process to evaluate a moving target, availability, Data Consistency, Estimating impact effects, Providing results that support resource allocation and risk acceptance
When should risk assessments be conducted?
When evaluating risk, When evaluating a control, Periodically after a control has been implemented
