Chapter 9
(T/F) Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
True
(T/F) The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them are risk treatment and risk communication.
True
(T/F) The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is economic feasibility.
True
(T/F) Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges.
True
The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
InfoSec community analysis
Strategies to limit losses before and during a disaster is covered by what in the mitigation control approach?
disaster recovery plan
What should each information asset-threat pair have at a minimum that clearly identifies any residual risk that remains after the proposed strategy has been executed?
documented control strategy
What is a step in Stage 2 - Evaluate Loss Event Frequency of the FAIR risk management framework?
estimate control strength
The __________ level and an asset's value should be a major factor in the risk control strategy selection.
threat
The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or organizations.
transferal
In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is satisfied with the result?
Delphi
What is NOT a valid rule of thumb on risk control strategy selection?
When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or reduce the attacker's gain, by using technical or operational controls.
The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization's risk ___________.
appetite
What is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset.
benefit
What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control annualized loss expectancy?
cost-benefit analysis
Application of training and education is a common method of which risk control strategy?
defense
When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the likelihood of a vulnerability being ___________.
exploited
The NIST risk management approach includes all but what element?
inform
Which of the following affects the cost of a control?
maintenance
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is ____________________ .
mitigation
What describes an organization's efforts to reduce damage caused by a realized incident or disaster?
mitigation
What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks?
qualitative assessment of many risk components
What can be described as the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility?
risk appetite
The ISO 27005 Standard for Information Security Risk Management includes five stages including all but what?
risk determination
By multiplying the asset value by the exposure factor, you can calculate what?
single loss expectancy
