Skip to content

Week 8 - Risk Management



Quiz 1

What is risk management? Why is the identification of risks and vulnerabilities to assets so important in risk management?

  1. Risk identification (vulnerability), assessment (exposure), and control (reduce to acceptable)

  2. Helps prioritize.

Quiz 2

According to Sun Tzu, what two key understandings must you achieve to be successful in battle?

Know yourself (standing), know the enemy(threats).

Quiz 3

Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

  • Each community of interest
  • Information security community

Quiz 4

In risk management strategies, why must periodic review be part of the process?

Ensure still effective, always neglected.

Quiz 5

Why do networking components need more examination from an information security perspective than from a systems development perspective?

Often the focal point of attacks, considered special rather than combined with others.

Quiz 6

What value does an automated asset inventory system have during risk identification?

  • Identify system elements that make up hardware, software, and network components
  • calculation of possible loss and protections of cost in risk management

Quiz 7

What information attribute is often of great value for local networks that use static addressing?

  • IP Address
  • With dynamic addressing, the MAC Address is more useful.

Quiz 8

When devising a classification scheme for systems components, is it more important that the asset identification list be comprehensive or mutually exclusive?

Both are important as depending upon the organization’s list priority and classification.

Quiz 9

What’s the difference between an asset’s ability to generate revenue and its ability to generate profit?

Revenue is the recognition of income from an activity supported by the system. Profit is the amount of revenue that exceeds operating costs. Some systems may cost more to operate than they contribute to revenue.

Quiz 10

What are vulnerabilities? How do you identify them?

  • Specific avenues that threat agents can exploit to attack an information asset.
  • Analyzing all components of an information systems and evaluating the risk to each component identify the vulnerabilities.

Quiz 11

What is competitive disadvantage? Why has it emerged as a factor?

  • A competitive disadvantage occurs when a company falls behind the competition in its ability to maintain the highly responsive services required in today's marketplaces.

  • This is a factor because almost all organizations have an IT system in this day and time. Therefore, organizations need to obtain or improve their IT systems to avoid falling behind all others.

Quiz 12

What five strategies for controlling risk are described in this chapter?

  1. Defend- The defend control strategy attempts to prevent the exploitation of the vulnerability.
  2. Transfer- The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.
  3. Mitigate- The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
  4. Accept- The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
  5. Terminate - The terminate control strategy directs the organization to avoid those business activities that introduce uncontrollable risks.

Quiz 13

Describe the defense strategy for controlling risk. List and describe the three common methods.

to prevent the exploitation of the vulnerability.

  • Application of policy
  • Education and training
  • Application of technology

Quiz 14

Describe the transference strategy for controlling risk. Describe how outsourcing can be used for this purpose.

shift risk to other assets, other processes, or other organizations. by rethinking how services are offered, revising deployment models, outsourcing, insurance, or implementing service contracts with providers.

Outsourcing transfer to another organization that has experience, and service provider is responsible for disaster recovery.

Quiz 15

Describe the mitigation strategy for controlling risk. What three planning approaches are discussed in the text as opportunities to mitigate risk?

Reduce the impact.

  • Incident Response Plan (IRP)
  • Disaster recovery plan (DRP)
  • Business Continuity Plan (BCP)

Quiz 16

How is an incident response plan different from a disaster recovery plan?

The DR plan focuses more on preparations completed before and actions taken for disasters —often escalated incidents; to reestablish operations at the primary site.

The IR plan focuses onIncident Response: intelligence gathering, information analysis, coordinated decision making,and urgent, concrete actions taken while an incident is occurring.

Quiz 17

What is risk appetite? Explain why it varies among organizations.

  • Quantity and nature of risk that organizations are willing to accept as trade-offs of security with accessibility.

  • Differences in expense of controlling and the losses. The key is to find the balance.

Quiz 18

What is a cost-benefit analysis?

A decision-making process to evaluate whether benefit is worth the expense.

Quiz 19

What is single loss expectancy? What is annualized loss expectancy?

A single loss expectancy is the value associated with the most likely loss from an attack.

Annual loss expectancy is the expected loss from exploitation of a vulnerability for a specific information asset over the course of a year.

Quiz 20

What is residual risk?

Even when vulnerabilities have been controlled as much as possible, remainder that some risk that has not been completely removed, shifted, or planned for.