Assessing Risk

Risk assessment is the process by which variables are evaluated to determine the amount and type of risk present. Such assessments are used for decision making as well as for resource management. Critical components of cybersecurity risk assessments include cataloging and analyzing IT assets, identifying and understanding threats, and determining any vulnerabilities that might exist.

Risk assessments identify, quantify, and prioritize risks measured against the organization’s tolerance for risk. One mechanism to identify weaknesses is a vulnerability assessment, which systematically evaluates an environment (hardware or software) to determine its susceptibility to vulnerabilities that might expose the network or data to unauthorized access.

Evaluating risks for cybersecurity purposes should not be limited to the computer network environment; it should also include the people and the physical environment, both of which can introduce risks. Operational security (OPSEC) focuses on identifying and protecting critical information that might disclose details that could be used for the purposes of exploitation, while physical security identifies and protects the physical environment against unauthorized entry.

Check Your Knowledge

Choose the best answer to each question:

Question 1
Which of the following is not part of the risk makeup for information security within an organization?
risk assessment/risk analysis
risk mitigation
risk management
risk monitoring
Question 2
Standards bodies produce and issue publications with which companies must comply. In the risk management arena, organizations should initiate which of the following?
self‐audits, risk tolerance, compliance
risk assessments, gap analyses, corrective actions
requirements, analysis, design
risk analysis, corrective action, security awareness
Question 3
Based on ISO 27001, risk analysis includes which of the following processes?
security procedures, information security, financial systems security, asset management, access management, encryption, and communications security
environmental security, operations security, asset security, risk assessment, and development and maintenance
define information security policy, define scope of information security management system (ISMS), conduct risk assessment, manage risks, select control objectives and controls to be implemented, and implement ISMS
business impact analysis, financial systems management, incident handling, communications, business continuity management, and threat analysis
Question 4
Many security analysts believe that a business impact analysis (BIA) is relevant to information technology. However, which of the following processes is most important to BIA?
due diligence
risk mitigation
supporting the mission of the organization
risk avoidance
Question 5
Risk assessment professionals use automated tools to perform their tasks because they demonstrate which of the following benefits?
reduce time
simplify the process
include threat information and statistics
all of the above
Question 6
Which of the following terms describes the type of organization that purchases and implements insurance to cover any loss to its assets?
risk acceptance
risk transfer
risk reduction
physical security risk containment
Question 7
General risk management comprises which of the following processes?
risk assessment, implementing decisions, and assigning priorities
budgetary impact assessment, risk transfer, implementing risk-reduction measures
risk avoidance, assigning priorities, budgeting
none of the above
Question 8
In a quantitative risk analysis, the formula for calculating annualized loss expectancy (ALE) is which of the following?
annual rate of occurrence (ARO) x single loss return (SLR)
single loss expectancy (SLE) x annual rate of occurrence (ARO)
single loss expectancy (SLE) / annual rate of occurrence (ARO)
none of the above
Question 9
Which of the following is the calculation for single-loss expectancy (SLE)?
asset value × exposure factor
annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
asset × vulnerability × threat
asset value × exposure factor and annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
Question 10
Which of the following statements best describes residual risk?
security risks that remain after the organization has implemented security controls
residual assets that are susceptible to threats
residual risks that will be mitigated
leftover risks eligible for reevaluation
Question 11
Which of the following statements are true about quantitative risk analysis?
Some parts of it can be automated.
Calculations can be complex.
It requires a high volume of information.
All of the above are correct.
Question 12
All of the following descriptions fit risk analysis except which one?
It is synonymous with risk assessment but not part of overall risk management.
It is the ongoing process of assessing the risk to the business.
It is used to determine adequate security for a system by analyzing threats and vulnerabilities.
It supports the selection of cost‐effective controls to achieve and maintain an acceptable level or risk.
Question 13
Which of the following terms best describes risk analysis when it is done with committee discussions, opinions, surveys, and user input?
quantitative risk analysis
qualitative risk analysis
human aspect risk analysis
joint risk assessment