Risk, Response, and Recovery
Which of the following choices identify valid threat sources? (Choose all that apply.) A. Employee B. Earthquake C. State-sponsored attacker D. Administrator
A, B, C, D. All of the answers are valid threat sources. Employees can be adversarial threat sources if they intentionally cause damage or accidental threat sources if they accidentally cause damage. An earthquake is an environmental threat source. A state-sponsored attacker is an adversarial threat source.
Which of the following helps ensure that an organization focuses risk management resources only on the most serious risks? A. Risk assessment B. Residual risk C. Countermeasures D. Qualitative analysis
A. A risk assessment helps an organization prioritize risks so that it can focus risk management resources on the most serious risks. Residual risk is the risk that remains after implementing risk mitigation steps. Countermeasures are risk management resources that reduce risks. Risk assessments can use either a quantitative analysis or a qualitative analysis, but neither is superior to the other one in all circumstances.
Of the following choices, which one most accurately reflects differences between risk management and a risk assessment? A. A risk assessment is a point-in-time event, while risk management is an ongoing process. B. Risk management is a point-in-time event, while a risk assessment is an ongoing process. C. Risk assessments are broad in scope, while risk management is focused on a specific system. D. Risk management is one part of an overall risk assessment strategy for an organization.
A. A risk assessment is a point-in-time event, while risk management is an ongoing process. Risk assessment is one element of a risk management strategy, and risk assessments are generally focused on specific systems with a limited scope, while risk management is much broader.
Which of the following can cause a negative impact on an organization's assets? A. A threat B. A risk C. A weakness D. A control
A. A threat source can cause a negative impact by exploiting a vulnerability. Risk is the likelihood that a threat will exploit a vulnerability and cause a loss; the risk doesn't cause the negative impact. A weakness is a vulnerability. Attackers can exploit a vulnerability, but the vulnerability doesn't cause the loss. Controls attempt to reduce risk by reducing vulnerabilities or reducing the impact of a risk.
You have completed a risk assessment and determined that you can purchase a control to mitigate a risk for only $10,000. The SLE is $2,000 and the ARO is 20. Is this cost justified? A. Yes. The control is less than the ALE. B. No. The control exceeds the ALE. C. Yes. The control exceeds the ARO. D. No. The control is less than the ARO.
A. Because the cost of the control is less than the annual loss expectancy (ALE), the cost is justified. The cost of the control is $10,000 and the ALE is $40,000. The annual rate of occurrence (ARO) is how many times the loss occurred (20 in the example), but it is only useful when you multiply it with the single loss expectancy (SLE) to identify the ALE.
You are completing a risk assessment and using historical data. You've identified that a system has failed five times in each of the past two years, and each outage resulted in losses of about $5,000. What is the ARO? A. Five B. $5,000 C. $25,000 D. Impossible to determine with the information provided
A. The annual rate of occurrence (ARO) is five because it happened five times each in the past two years. The single loss expectancy (SLE) is $5,000 and the annual loss expectancy (ALE) is $25,000.
What's a primary method used to reduce risk? A. Reducing threats B. Reducing vulnerabilities C. Increasing threats D. Increasing vulnerabilities
B. A primary method of risk mitigation is reducing vulnerabilities. Threats often can't be reduced, and adding more threats won't reduce risk. You reduce vulnerabilities by implementing controls.
You are completing a risk assessment using historical data. You've identified that a system has failed three times in the past year, and each of these outages resulted in approximately $10,000 in losses. What type of analysis does this allow you to perform? A. Qualitative B. Quantitative C. Informative D. Subjective
B. A quantitative analysis uses numerical figures to identify the actual costs associated with a risk. A qualitative analysis uses subjective terms such as low, medium, and high to analyze a risk. There is no such thing as an informative analysis.
Which of the following formulas will determine the annual loss expectancy (ALE)? A. SLE - ARO B. SLE × ARO C. ARO - SLE D. SLE / ARO
B. ALE is the product calculated from the single loss expectancy (SLE) and the annual rate of occurrence (ARO), or SLE × ARO. The ALE is not calculated by subtraction of the ARO and SLE or by dividing the SLE and ARO.
An organization has a business location in Miami, Florida. Due to the risks associated with hurricanes, the organization has decided to move the location to Atlanta, Georgia, away from any ocean. What risk management strategy is the organization using? A. Accept B. Avoid C. Mitigate D. Transfer
B. By moving the location to a city that can't be hit by a hurricane, the company is using risk avoidance. Risk acceptance doesn't take any action to mitigate the risk. In risk mitigation, you attempt to reduce the risk, perhaps by ensuring that the building is built with hurricane-resistant materials. The company can transfer the risk by purchasing hurricane and flood insurance.
What should an organization do when the cost of a control exceeds the cost of a risk? A. Implement the control B. Accept the risk C. Perform a risk assessment D. Mitigate the risk
B. If the cost of a control exceeds the cost of a risk, the organization should accept the risk. The organization might implement the control if the cost of the control was less than the cost of the risk, indicating a cost savings. A risk assessment can analyze the value of the control, but you wouldn't need to do a risk assessment if you already know the cost of the control exceeds the costs of the risk. Mitigating the risk indicates you would implement the control, but based on the known costs, it's appropriate to accept the risk.
What is the purpose of risk management? A. Eliminate risks B. Reduce risks to an acceptable level C. Share or transfer risks D. Identify risks
B. Risk management reduces risks to an acceptable level. It is not possible to eliminate risk. One method of managing risk is to share or transfer risk, but that is not the only method. Similarly, risk management processes identify risk, but risk management is much more than just identifying risk.
A risk assessment recommended several controls to mitigate risks, but only some of the controls were accepted and implemented. Who is responsible for any losses that occur from the remaining risk? A. The person completing the risk assessment B. Senior management C. IT personnel managing the systems D. Security personnel
B. Senior management is responsible for making decisions on what risk to mitigate. The remaining risk is residual risk, and senior management is responsible for any losses from this residual risk.
Of the following choices, what best represents all of the steps related to incident response? A. Preparation, containment, detection, analysis, eradication, and recovery B. Preparation, detection, analysis, containment, eradication, and recovery C. Containment, preparation, detection, analysis, eradication, and recovery D. Containment, analysis, detection, eradication, and recovery
B. The steps recommended in NIST SP 800-61 are preparation, detection, analysis, containment, eradication, and recovery. Containment is important once an incident has been detected and analyzed, but can't be done beforehand.
Which of the following choices best represents the definition of risk? A. The likelihood that a threat source can cause a threat event resulting in a vulnerability B. The likelihood that a vulnerability can exploit a threat and cause a loss C. The likelihood that a threat will exploit a vulnerability and cause a loss D. The likelihood that an incident can cause a vulnerability resulting in a loss
C. A risk is the likelihood that a threat will exploit a vulnerability and cause a loss. Threats do not create vulnerabilities, and vulnerabilities do not exploit threats. Similarly, incidents do not cause vulnerabilities.
Of the following choices, what is an important first step in a risk management plan? A. Implementing controls B. Identifying vulnerabilities C. Identifying assets D. Identifying threats
C. You must identify assets first. You can then identify threats against these assets and vulnerabilities in these assets. You can't recommend or implement controls until you know what you want to control.
You decide to manage risk by purchasing insurance to cover any losses. Which one of the following risk management techniques are you using? A. Accept B. Avoid C. Mitigate D. Transfer
D. Insurance is one of the ways that you can manage risk by transferring the risk to a third party. Risk acceptance doesn't take any further action to mitigate the risk. In risk avoidance, you avoid the activity that results in the risk. It's most common to try to reduce the risk using risk mitigation.
An organization has implemented several controls to mitigate risks. However, some risk remains. What is the name of the remaining risk? A. Vulnerable risk B. Mitigated risk C. Alternate risk D. Residual risk
D. Residual risk is any risk that remains after implementing controls to mitigate the risk. It's often not cost effective to implement controls to eliminate all risks, so senior management must make decisions on what risk to mitigate and what risk to accept as residual risk. Vulnerable risk and alternate risk are not valid terms associated with risk management.
You are involved in risk management activities within your organization. Of the following activities, which one is the best choice to reduce risk? A. Reducing threats B. Increasing vulnerabilities C. Increasing impact D. Mitigating risk
D. Risk mitigation is the process of reducing risk. You can rarely reduce threats, but you can often reduce (not increase) vulnerabilities or reduce (not increase) the impact of a risk.
What is the first step in incident response? A. Analysis B. Containment, eradication, and recovery C. Detection D. Preparation
D. The first step in incident response is preparation, which includes creating an incident response plan. The other answers are valid steps in incident response, but they aren't the first step.