Organizations perform risk assessments to ensure that they are able to identify threats (including attackers, viruses, and malware) to their information systems.
According to the National Institute of Standards and Technology (NIST, 2012):
Risk assessments address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems. (p. 6)
When a risk assessment is completed, organizations rate risks at different levels so that they can prioritize them and create appropriate mitigation plans.
References
US Department of Commerce, National Institute of Standards and Technology (NIST). (2012). Information security: Guide for conducting risk assessments: Special Publication 800-30. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Resources
Required
- Technological Safeguards
- Risk Analysis
- Impacts of Risks
- Risks in Wireless Networks
- Metasploit
- Intrusion Detection Using Network Monitoring Tools
Recommended
- Technical Guide to Information Security Testing and Assessment (focus on Chapters 2, 4, and Appendix A)
- Avoiding the Top Ten Security Flaws
Check Your Knowledge
Choose the best answer to each question:
Question
1
Which of the following is not part of the risk makeup for information security within an organization?
risk assessment/risk analysis
risk mitigation
risk management
risk monitoring
This answer is incorrect. Risk assessment/risk analysis is part of the risk makeup for information security within an organization. It’s the first phase in the risk management process and includes activities such as identifying risks to assets and determining the impact of those risks to the organization. Try again.
This answer is incorrect. Risk mitigation is part of the risk makeup for information security within an organization. In this phase, strategies for avoiding and reducing known and perceived risks to assets are developed. Try again.
This answer is incorrect. Risk management is an ongoing information security process for managing risks and protecting assets. It encompasses multiple risk management phases, including risk assessment/analysis and risk mitigation. Try again.
That's correct. Risk monitoring is not part of the risk makeup for information security within an organization.
Question
2
Standards bodies produce and issue publications with which companies must comply. In the risk management arena, organizations should initiate which of the following?
self‐audits, risk tolerance, compliance
risk assessments, gap analyses, corrective actions
requirements, analysis, design
risk analysis, corrective action, security awareness
Self‐audits, risk tolerance, and compliance are not risk management actions that organizations should initiate; therefore, this list is incorrect. Try again.
That's correct. Risk assessments, gap analyses, and corrective actions are the areas involved in the proper risk management that organizations should initiate.
Requirements, analysis, and design are not risk management actions organizations should initiate; therefore, this list is incorrect. Try again.
Risk analysis, corrective action, and security awareness are not risk management actions that organizations should initiate; therefore, this list is incorrect. Please try again.
Question
3
Based on ISO 27001, risk analysis includes which of the following processes?
security procedures, information security, financial systems security, asset management, access management, encryption, and communications security
environmental security, operations security, asset security, risk assessment, and development and maintenance
define information security policy, define scope of information security management system (ISMS), conduct risk assessment, manage risks, select control objectives and controls to be implemented, and implement ISMS
Business impact analysis, financial systems management, incident handling, communications, business continuity management, and threat analysis
Security procedures, information security, financial systems security, asset management, access management, encryption, and communications security are not part of the process of risk analysis based on ISO 27001. This answer is incorrect. Try again.
Environmental security, operations security, asset security, risk assessment, and development and maintenance are not part of the process of risk analysis based on ISO 27001. This answer is incorrect. Try again.
That's correct. The definition of risk analysis based on ISO 27001 states that the risk analysis includes these six processes: define information security policy, define scope of information security management system (ISMS), conduct risk assessment, manage risks, select control objectives and controls to be implemented, and implement ISMS.
Business impact analysis, financial systems management, incident handling, communications, business continuity management, and threat analysis are not part of the risk analysis process based on ISO 27001. This answer is incorrect. Try again.
Question
4
Many security analysts believe that a business impact analysis (BIA) is relevant to information technology. However, which of the following processes is most important to BIA?
due diligence
risk mitigation
supporting the mission of the organization
risk avoidance
Due diligence is important in a BIA; however, it is not the most important process in this list. Therefore, this answer is incorrect. Try again.
Risk mitigation is important in a BIA; however, it is not the most important process in this list. Therefore, this answer is incorrect. Try again.
That's correct. Supporting the mission of the organization in a BIA is the most important process in this list.
Risk avoidance is important in a BIA; however, it is not the most important process in this list. Therefore, this answer is incorrect. Try again.
Question
5
Risk assessment professionals use automated tools to perform their tasks because they demonstrate which of the following benefits?
reduce time
simplify the process
include threat information and statistics
all of the above
Risk assessment professionals use automated tools to reduce time. However, this is not the only reason they use automated tools. Try again.
Risk assessment professionals use automated tools to simplify the process. However, this is not the only reason they use automated tools. Try again.
Risk assessment professionals use automated tools to obtain threat information and statistics. However, this is not the only reason they use automated tools. Try again.
That's correct. Risk assessment professionals use automated tools to reduce time, simplify the process, and obtain threat information and statistics.
Question
6
Which of the following terms describes the type of organization that purchases and implements insurance to cover any loss to its assets?
risk acceptance
risk transfer
risk reduction
physical security risk containment
Risk acceptance occurs when an organization accepts the present risk because the cost of mitigating the risk outweighs the risk itself. An organization accepting risk would not purchase insurance to cover asset loss. Try again.
That's correct. Risk transfer occurs when the risk is transferred from the organization to another entity such as when an organization purchases insurance. An organization that purchases and implements insurance to cover any loss to its assets transfers risk to the insurance company, which will pay for that loss.
Risk reduction is a method to lower the risk the organization takes for any cybersecurity issue or problems. This answer does not describe the type of organization that purchases and implements insurance to cover any loss to its assets. Try again.
Physical security risk containment describes the physical security defensive mechanisms to prevent, deter, and detect physical threats of various kinds. This answer does not describe the type of organization that purchases and implements insurance to cover any loss to its assets. Try again.
Question
7
General risk management comprises which of the following processes?
risk assessment, implementing decisions, and assigning priorities
budgetary impact assessment, risk transfer, implementing risk-reduction measures
risk avoidance, assigning priorities, budgeting
none of the above
That's correct. General risk management comprises risk assessment, implementing decisions, and assigning priorities.
Budgetary impact assessment, risk transfer, and implementing risk-reduction measures do not comprise general risk management. Therefore, this answer is incorrect. Try again.
Risk avoidance, assigning priorities, and budgeting do not comprise general risk management. Therefore, this answer is incorrect. Try again.
This answer is incorrect because there is a correct response in this list. Try again.
Question
8
In a quantitative risk analysis, the formula for calculating annualized loss expectancy (ALE) is which of the following?
annual rate of occurrence (ARO) x single loss return (SLR)
single loss expectancy (SLE) x annual rate of occurrence (ARO)
single loss expectancy (SLE) / annual rate of occurrence (ARO)
none of the above
ALE is not the product of the product of the ARO and the SLR. Therefore, this answer is incorrect. Try again.
That's correct. ALE is the product of the SLE and the ARO.
ALE is not the quotient of the SLE divided by the ARO. Therefore, this answer is incorrect. Try again.
One of the other statements does describe ALE; therefore, this answer is incorrect. Try again.
Question
9
Which of the following is the calculation for single loss expectancy (SLE)?
asset value × exposure factor
annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
asset × vulnerability × threat
asset value × exposure factor AND annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
That's correct. SLE is the product of asset value and exposure factor.
The product of ALE and ARO is not the definition of SLE. Therefore, this answer is incorrect. Try again.
The product of asset × vulnerability × threat is not the definition of SLE. Therefore, this answer is incorrect. Try again.
One of these options is not the calculation of SLE. Try again.
Question
10
Which of the following statements best describes residual risk?
security risks that remain after the organization has implemented security controls
residual assets that are susceptible to threats
residual risks that will be mitigated
leftover risks eligible for reevaluation
That's correct. The residual risk is a list of security risks that remain after security controls have been implemented.
This answer is incorrect. Residual assets that are susceptible to threats is not the definition of residual risk. Try to recall the definition of residual risk and how it differs from residual assets. Try again.
This answer is incorrect. Residual risks that will be mitigated is not the definition of residual risk. Try to recall the definition of residual risk and how it differs from risk mitigation. Try again.
This answer is incorrect. Leftover risks that will be eligible for reevaluation is not the definition of residual risk. Try to recall the definition of residual risk and how it differs from reevaluating potential risks. Try again.
Question
11
Which of the following statements are true about quantitative risk analysis?
Some parts of it can be automated.
Calculations can be complex.
It requires a high volume of information.
All of the above are correct.
Some parts of quantitative risk analysis can be automated; however, this is not the complete response. Try again.
In quantitative risk analysis, calculations can be complex; however, this is not the complete response. Try again.
Quantitative risk analysis does require a high volume of information; however, this is not the complete response. Try again.
Correct. All of the statements apply to quantitative risk analysis.
Question
12
All of the following descriptions fit risk analysis except which one?
It is synonymous with risk assessment but not part of overall risk management.
It is the ongoing process of assessing the risk to the business.
It is used to determine adequate security for a system by analyzing threats and vulnerabilities.
It supports the selection of cost‐effective controls to achieve and maintain an acceptable level or risk.
That's correct. Risk analysis is not synonymous with risk assessment and is one component of overall risk management.
The ongoing process of assessing the risk to the business is part of risk analysis. Therefore, this answer is incorrect. Try again.
Part of risk analysis includes determining adequate security for a system by analyzing its threats and vulnerabilities. Therefore, this answer is incorrect. Try again.
Part of risk analysis supports the selection of cost‐effective controls to achieve and maintain an acceptable level or risk. Therefore, this answer is incorrect. Try again.
Question
13
Which of the following terms best describes risk analysis when it is done with committee discussions, opinions, surveys, and user input?
quantitative risk analysis
qualitative risk analysis
human aspect risk analysis
joint risk assessment
Quantitative risk analysis seeks to numerically assess probabilities for the potential consequences of risk and is not dependent on committee discussions, opinions, surveys, and user input to make its determination. Therefore, this answer is incorrect. Try again.
That's correct. Qualitative risk analysis uses committee discussions, opinions, surveys, and user input to determine risk.
This answer is partially correct but is not the best answer. Human aspect risk analysis is an action belonging to a broader type of risk analysis. Try again.
This answer is partially correct but is not the best answer. Joint risk assessment is an action belonging to a broader type of risk analysis. Try again.