Your Momma - Chapter 1
In the ALE formula, "Impact" is measured in dollars. If the value of "I" is 7, what is the monetary impact? - 3 a. 10,000,000 b. 1,000,000 c. 10,000 d. 100,000,000
a. 10,000,000
Any option or strategy employed for risk mitigation must be evaluated in terms of: -- 16 a. Availability, affordability, and feasibility of application to operations b. Expectations and performance c. Cost versus performance d. Effectiveness
a. Availability, affordability, and feasibility of application to operations
What do the subscript "b" and "a" reference in the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value. - 5 a. Before and After b. Brought and Actual c. Briefing and Address d. Broken and Avid
a. Before and After
What term refers to the area where resources around an explosive device will be damaged by the blast? - 19 a. Blast vulnerability envelope b. Blast radius c. Blast damage estimate d. Ground zero
a. Blast vulnerability envelope
What are two tools used for quantifying threat probability? - 12-13 a. CARVER method and matrix b. ALE Matrix and c. CARVER and Threat Matrix d. Threat Matrix and Adversary Sequence Diagram
a. CARVER method and matrix
In the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value, what do the letters D, P, and S stand for? - 4 a. Damage, Prevention, and Success b. Damage, Prevention, and Security c. Damage, People, and Services d. Damage, Prevention, and Shutdown
a. Damage, Prevention, and Success
What is the purpose of an Adversary Sequence Diagram? - 15 a. Determine the timeline required for an adversary to breach security b. Determine the effectiveness of countermeasures c. Determine the location of assets d. All are purposes of the Adversary Sequence Diagram
a. Determine the timeline required for an adversary to breach security
Which of the following factors is not considered when determining risk? - 2 a. Location b. Value of an asset c. Threats or hazards d. Vulnerability
a. Location
As a minimum, how often should risk assessments be reassessed? - 18 a. Once a year, or if major changes to the organization or process occur b. Every five years, or if major changes to the organization or process occur c. No time frame exists, , only if major changes to the organization or process occur d. Semi-annually, or if major changes to the organization or process occur
a. Once a year, or if major changes to the organization or process occur
What are the five recurring steps to risk assessment using the RAM methodology? - 7 a. Planning, Threat Assessment, Facility Characterization, System Effectiveness, Risk Analysis b. Purpose, Objectives, Design Basis Threat, Risk, and Upgrades c. Review, Plan, Execute, Commission, Repeat d. Determine Risk, Calculate Likelihood, Determine Benefit, Analyze Risk, Implement
a. Planning, Threat Assessment, Facility Characterization, System Effectiveness, Risk Analysis
In basic terms, ALE is calculated by multiplying which two factors? - 3 a. Probability and value of potential loss b. Likelihood and frequency c. Frequency and probability d. Risk and likelihood
a. Probability and value of potential loss
Which one of the approaches to risk assessment relates to the number of something, cable of being measured or expressed in numerical terms? - 3 a. Quantitative b. Asset c. Scenario d. Qualitative
a. Quantitative
All approaches to risk assessment essentially break down into two groups. What are they? a. Quantitative and Qualitative b. Asset and Scenario c. Goals and Objectives d. None of the above
a. Quantitative and Qualitative
Which risk mitigation strategy has the lowest cost? - 16 a. Risk Assumption b. Risk Elimination c. Risk Avoidance d. Risk Limitation
a. Risk Assumption
What are defined as intent of damage or injury; an indication of something impending? - 10 a. Threats b. Hazards c. Risks d. Potential Loss
a. Threats
83. Internal dampening is used to absorb some OR all of the impact from a blast. -20 a. True b. False
a. True
A Consequence Matrix will assist in assessing what the risks may be and what countermeasures might be effective at different levels of risk. - 17 a. True b. False
a. True
A consequential event is one where, through a relationship between events or between two different organizations, the company suffers some type of loss as a consequence of that affiliation. - 11 a. True b. False
a. True
A properly performed risk analysis will highlight areas in which greater OR lesser security is needed. - 2 a. True b. False
a. True
A sacrificial roof is one that can be lost in a blast without damage to the primary asset. - 20 a. True b. False
a. True
Ductile materials are malleable and will absorb impact loads without breaking. - 19 a. True b. False
a. True
Non-crime related threats can be either natural or "human made." a. True b. False
a. True
Probability is a measure of the number of outcomes in an exhaustive set of equally like outcomes that produce a given event to the total number of possible outcomes. - 3 a. True b. False
a. True
Risk analysis is a process to identify asset values, threats, and vulnerabilities to ascertain risks. - 1 a. True b. False
a. True
The acronym NPV stands for "net present value." It is used to determine the overall cost (C) to implement a recommendation by multiplying it against operating cost (OC) and adding installation cost (IC). - 6 a. True b. False
a. True
The first task to perform during a risk assessment is to perform an asset value assessment. - 1 a. True b. False
a. True
The qualitative approach to risk assessment is by far the most widely used approach to risk analysis? - 6 a. True b. False
a. True
The term Nuclear, Biological, or Chemical (NBC) Weapons is synonymous with Weapons of Mass Destruction (WMD)? -20 a. True b. False
a. True
FEMA's asset valuation methodology uses a combination of __-level linguistic scale and a __-point numeric scale. - 7 a. 5, 10 b. 7, 10 c. 10, 5 d. 10, 7
b. 7, 10
To perform and NPV calculation, the cost of capital is set to __ percent and the horizon is set at __ years. - 6 a. 7, 5 b. 7,10 c. 10, 5 d. 10,10
b. 7,10
Quantitative Risk Analysis refers to? - 3 a. Characteristics of assets b. Amount or number of something c. Impact of event d. Total cost of recovery
b. Amount or number of something
What is the final step in vulnerability assessment methodology? -14 a. Determine asset value b. Assign a relative value to asset/threat pairs c. Project design and execution d. Policy revision, as required
b. Assign a relative value to asset/threat pairs
What is final step in conducting a security risk analysis? - 18 a. Project funding b. Cost-Benefit analysis c. Auditing the process d. Policy revision, as required
b. Cost-Benefit analysis
What does the acronym CARVER stand for? - 12 a. Criticality, Accessibility, Vulnerability, Environmental Impact, Recoupability b. Criticality, Accessibility, Vulnerability, Effects, Recognizability c. Criticality, Asset Value, Vulnerability, Environmental Impact, Recognizability d. Criticality, Asset Value, Vulnerability, Effects, Recoupability
b. Criticality, Accessibility, Vulnerability, Effects, Recognizability
A security assessment may be implemented without first identifying the assets to be protected. - 2 a. True b. False
b. False
ALE is utilized during qualitative risk analysis. - 3 a. True b. False
b. False
Probability is always precise - otherwise it can promote complacency. - 4 a. True b. False
b. False
Probability of threats is based upon mathematical certainty. - 12 a. True b. False
b. False
The RAM methodology is considered a qualitative, "consequence-driven" approach to risk assessment. - 6 a. True b. False
b. False
The intent of risk management is to eliminate risk to a facility. - 15 a. True b. False
b. False
When selecting risk mitigation options, all identified risks should be addressed. - 16 a. True b. False
b. False
What should be the primary consideration when determining which risk mitigation strategy to employ? - 16 a. Cost b. Goals and mission of the organization c. Countermeasures d. Adversaries
b. Goals and mission of the organization
What are defined as a source of potential danger or adverse condition? - 10 a. Threats b. Hazards c. Risk d. Natural Disasters
b. Hazards
What is the end result of risk analysis? - 1 a. Determine potential costs for recovery b. Identify threat mitigation options and select measures that provide greatest benefit c. Assess vulnerabilities to assets d. Assess potential threats and determine the countermeasures required
b. Identify threat mitigation options and select measures that provide greatest benefit
In the ALE formula: ALE = 10 (f+i-3)/3, "i" and "f" stand for? - 3 a. Incident, Frequency b. Impact, Frequency c. Integer, Frequency d. Implication, Frequency
b. Impact, Frequency
Which of the following is not considered when valuing assets? - 9 a. Replacement costs b. Location c. Impact on reputation d. Existence of backups
b. Location
What is defined as a list of the kinds of threats affecting the asset to be safeguarded? - 10 a. ALE matrix b. Loss Event Profile c. Vulnerability Model d. Asset Value Table
b. Loss Event Profile
When noting frequency using the ALE formula, values are rated from 1-8 with 1 being the ____ frequency of occurrence. - 4 a. Highest b. Lowest c. Average d. Absolute
b. Lowest
Loss or damage of the assets that would have serious consequences, such as serious injuries or impairment of core processes and functions for an extended period of time is defined as? - 7 a. High b. Medium High c. Medium d. Medium Low
b. Medium High
Which of the following is an "indirect cost?" - 9 a. Increased insurance premiums or deductibles b. Negative media coverage and long-term negative consumer perception c. Management time d. Punitive damages
b. Negative media coverage and long-term negative consumer perception
Who is responsible for identifying vital equipment located at facilities? a. Security b. Operations c. Safety d. Risk
b. Operations
When quantifying threat probability, each asset is compared against different threat scenarios using a technique called _____. - 13 a. CARVER matrixing b. Pair-Wise Comparison c. Threat-Pair Evaluation d. None of the above
b. Pair-Wise Comparison
______ can be defined as the potential for loss or damage to an asset. - 1 a. Threats b. Risk c. Countermeasures d. Attack probability
b. Risk
Site hardening is one risk mitigation strategy. Which of the following is not? - 16 a. Risk Assumption b. Risk Elimination c. Risk Avoidance d. Risk Limitation e. Risk Transference
b. Risk Elimination
Which risk mitigation strategy has the highest cost? - 16 a. Risk Elimination b. Site Hardening c. Risk Limitation d. Risk Transference
b. Site Hardening
Which of the following does not represent one of the three distinct categories of threats? - 11 a. Crimes b. Terrorist c. Non-crimes d. Consequential events caused by relationships with other organizations
b. Terrorist
What is the formula Db = A*(1 - Pb)(1 - Sb)*Asset Value calculate? - 4 a. The likelihood of an incident occurring b. The expected risk or potential damage to an asset before security is implemented c. The time required to recuperate from an event d. The cost to secure an asset
b. The expected risk or potential damage to an asset before security is implemented
While financial cost is often a factor when selecting safeguards, what is a more common consideration? - 17 a. Whether a timeframe for compliance exists b. Whether it will interfere with the operation of the enterprise c. Whether it conflicts with union agreements d. All of these should factors should be examined
b. Whether it will interfere with the operation of the enterprise
What scale does FEMA use to assign relative values based on likelihood? - 8 a. 1-5 b. 1-7 c. 1-10 d. 1-4
c. 1-10
There are __ levels in FEMA's asset valuation linguistic scale with ___ being very low. - 7 a. 10, 1 b. 10, 10 c. 7, 1 d. 7, 10
c. 7, 1
The acronym ALE stands for? - 3 a. Average Loss Expectancy b. Annual Liability Exponent c. Annual Loss Expectancy d. Average Loss Exponent
c. Annual Loss Expectancy
Subtracting Db from Da will give you B. B stands for what? - 6 a. Breakdown b. Bonus c. Benefit d. Backup
c. Benefit
Which of the following should not be considered when selecting countermeasures? - 17 a. Individual countermeasures and security system effectiveness based on adversary and threat b. Different levels of effectiveness of countermeasures based on differing threat c. Different security systems based on the availability of threat information d. Increased levels of effectiveness of countermeasures based on the sophistication of threats
c. Different security systems based on the availability of threat information
Which of the following may be both a natural or human-made disaster regarding non-crime related events? - 11 a. Earthquakes b. Lighting strikes c. Fires d. Tidal Waves
c. Fires
82. Which of the following is not considered an Electronic Security System? - 20 a. IDS b. AECS c. GIS d. CCTV
c. GIS
What is the key to performing an asset value assessment? - 8 a. Records review b. Prior SVA results c. Interviewing stakeholders d. Internal audits
c. Interviewing stakeholders
Which method should be used when the practitioner has very good data regarding the actual cost of the loss or impact of a threat event and the frequency with which the threat will occur? - 3 a. ALE b. Qualitative c. Quantitative d. Impact versus Consequence
c. Quantitative
What are the two ways to establish values for assets? - 10 a. ALE and Qualitative b. Direct and Indirect c. Relative and Cost-of-Loss d. Threats and Hazards
c. Relative and Cost-of-Loss
What organization developed the Risk Assessment Methodologies (RAM) in 2002? - 6 a. API-NPRA b. CSSI c. Sandia Corporation d. DHS
c. Sandia Corporation
Which of the following is not considered an adversary action? a. Deceit b. Stealth c. Surveillance d. Force
c. Surveillance
Risk management incorporates and understanding of the _____ of assets to the consequences of _____ and hazards. - 15 a. Cost, Recoupability b. Risks, Likelihood c. Vulnerability, Threats d. Purpose, Inaction
c. Vulnerability, Threats
The linguistic level scale used for FEMA's asset valuation methodology classifies "High" as? - 7 a. 10 b. 9-10 c. 9 d. 8-9
d. 8-9
Which of these is NOT analyzed during a risk assessment? - 1 a. Asset values and threats b. Probability and consequences c. Vulnerabilities and risk d. All are analyzed.
d. All are analyzed.
Which factor is not considered when determining whether a loss risk even may occur? - 12 a. Historical data b. Makeup of the neighborhood and geographic location c. Political, social, and economic conditions d. All are factors of consideration
d. All are factors of consideration
What are the problems with employing quantitative risk analysis? - 3 a. Availability of data b. Inaccuracy of collected data regarding cost c. Inaccuracy of determining the probability of threats occurring d. All are problems with this type of analysis
d. All are problems with this type of analysis
Vulnerability is defined as? - 13 a. Any weakness that can be exploited by an aggressor b. To make an asset susceptible to damage from natural hazards c. To make an asset susceptible to damage from consequential events d. All of the above
d. All of the above
Which of the following is not a benefit of using the RAM methodology? - 6 a. Helps identify system components that are critical for the system to function b. Helps prioritize security upgrades or modify practices c. Offers companies a way to develop balanced security protection systems d. All of the above
d. All of the above
Which of the following must be understood in order to determine asset criticality? - 8-9 a. Define and understand the company's primary business functions and process b. Identify site and building infrastructure and systems c. Identify the company's critical tangible and intangible assets d. All of the above
d. All of the above
Which of the following is not true regarding assets? - 8 a. It is a resource of value requiring protection b. Can be anything you want to protect because of its value c. Can be tangible or intangible d. All of the above are true
d. All of the above are true
Terrorist acts may be classified into what category? - 11 a. Human-made disasters b. Crime Related Threats c. Consequential Events d. Both A& B
d. Both A& B
A Threat Matrix measures: - 13 a. Likelihood Versus Risk b. Risk Versus Impact c. Impact Versus Likelihood d. Consequences Versus Probability
d. Consequences Versus Probability
Probability is expressed as? - 3 a. A percentage b. A ratio c. An average d. Either a percentage or ratio
d. Either a percentage or ratio
Which of the following is not a type of countermeasure control? - 19 a. Preventative b. Corrective c. Detective d. Mitigating
d. Mitigating
Which of the following sources does not have data on natural disasters? - 11 a. FEMA b. USGS c. National Weather Service d. NIBR
d. NIBR
Which method to risk assessment is used when the practitioner has very good data relating to the actual cost of the loss or impact of a threat event and the frequency with which the threat will occur? - 3 a. Asset b. Scenario c. Qualitative d. Quantitative
d. Quantitative
Which of the following is not a source of data for criminal events? - 11 a. Local polices and UCR crime reports b. Internal records of incidents c. Demographics and social condition data d. These are all sources of data for criminal events
d.These are all sources of data for criminal events
Which of the following factors is used to determine whether an asset is vulnerable? - 14 a. Lack of redundancy and single points of failure b. Co-location of critical systems, organization, or components and collateral damage c. Presence of hazmat d. Inadequate security measures and ease of access e. All are factors for consideration
e. All are factors for consideration