Quiz for Chapter 4
7. What is Risk Evaluation?
Evaluate each threat to determine how harmful it could be
6. What is Risk Identification?
Identify all potential threats.
13. What are the three steps to Phase One?
Identify, Evaluate, and Understand the assets that the organization has.
4. What components of information system are categorized in Risk Identification step?
People, Procedure, Data, S/W, H/W, and N/W
12. What are the two phases of Risk Assessment?
Phase One: Know Yourself Phase Two: Know Your Enemy
3. What are the two components of Risk Management?
Risk Assessment and Risk Analysis and Control
4. What is Risk Assessment?
Risk Assessment and Risk Analysis and Control
1. What are the three main steps of Risk Assessment and in which order they need to be performed?
Risk Identification Risk Evaluation Risk Prioritization
1. What is Risk?
Risk be formally defined as a potential or probability that a particular threat can exploit a particular weakness that may result in undesirable outcomes.
10. What is Risk Control?
The final process in which proposed security technology and policies are developed, implemented, and maintained to control the known risks.
6. What is the significance of performing Asset Assessment (i.e., what information it provides to a Risk Analyst)?
The first step in the risk assessment process is to assign a value/weight to each identified asset so that we can classify them with respect to the value each asset adds to the organization.
1. In order to determine an appropriate probability of threat occurring, what information a Risk Analyst (i.e., SMG) should use?
The security management group (Risk Analyst) will determine the appropriate values for likelihood using the following 3 things: a) Results of previous 2 stages (i.e., Asset and Threat Assessment) b) Organization's current risk environment and c) Existing security controls
9. What is Risk Analysis?
This will further examine each threat and determine what security policies, procedures, and technology should be implemented to counter these threats.
10. ___T or F ________ Increasing the exposure factor always increases the single loss expectancy (assuming a constant asset value).
True
11. ___T or F _________ Information assets with high risk magnitude (RM) need additional or immediate security control to reduce the risk.
True
9. __T or F_________ Increasing likelihood of a threat occurring always increases the risk magnitude (assuming a constant asset value).
True
2. The process of examining/evaluating how each threat will affect an organization is called a(n) _________________
(Answer: Threat Assessment)
3. Likelihood is the probability which is assigned between __________ to show low probability and ______________ to show high probability.
0.1 to 1
15. What are the five steps of Risk Identification?
1. Categorize all Information Security Components 2. Identify all assets 3. Categorize assets 4. Identify vulnerable assets 5. Identify all potential threats
14. What are the four steps to Phase Two?
1. Identify all potential threats. 2. Evaluate each threat with respect to its impact on the organization. 3. Relate threats to critical assets. 4. Based on your understanding, assign a priority to each threat.
5. What are the three main steps of Risk Assessment?
1. Identify all risks that the organization is facing. 2. Evaluate each risk 3. Assign a priority to each identified risk
11. What three questions need answered when we perform Risk Management?
1. What assets do we need to protect? 2. How are these assets threatened? 3. What can we do to counter these threats?
2. What is Risk Management?
Defined as a process in which all risks/threats are identified (Risk Identification) so that appropriate security measures can be taken (Risk Control) after performing Risk Analysis
7. Write down couple of questions that could be used as a criteria by a Risk Analyst to determine appropriate values/weight of each organization information asset.
• Q1: which information asset is the most critical to the success of the organization • Q2: Which Information Assets generates the most Revenue? • Q3: Which information asset generates the most profit? • Q4: Which information assets would be the most expensive to replace?
3. What is the difference between risk analysis and risk control.
• Risk-Analysis will further examine each individual threat in order to determine that what appropriate security measures must be taken to reduce or eliminate the risk • Risk Control is the process in which Security policies are develop, implemented, & monitored to ensure that the Risks are reduced or eliminated
1. _________________ is referred as probability that a particular vulnerability of an asset can be exploited by a threat to damage the organization.
Answer: Likelihood
4. _________________ Assessment determines the likelihood that a particular vulnerability can be exploited by the threat to damage the organization's asset.
Answer: Risk
5. ____________________________ group determines the appropriate values for likelihood
Answer: The security management group (Risk Analyst)
7. Risk magnitude can be calculated by multiplying _______________ and ______________
Asset value (also known as asset rating) with the likelihood or probability of threat occurring
6. Single loos expectancy is the product of __________________ and ________________
Asset value and Exposure Factor (EF%)
8. What is Risk Prioritization?
Assign a value to each risk.
12. ___T or F ________ An increase in the probability of threat (TP) increases the asset value (AV). Assume a constant risk magnitude (RM)?
False
8. __T or F_________ During Risk Identification, all critical assets are evaluated and categorized with respect to the value they add to the organization.
False