Risk Assessment

Organizations perform risk assessments to ensure that they are able to identify threats (including attackers, viruses, and malware) to their information systems.

According to the National Institute of Standards and Technology (NIST, 2012):

Risk assessments address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems. (p. 6)

When a risk assessment is completed, organizations rate risks at different levels so that they can prioritize them and create appropriate mitigation plans.

References

US Department of Commerce, National Institute of Standards and Technology (NIST). (2012). Information security: Guide for conducting risk assessments: Special Publication 800-30. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Check Your Knowledge

Choose the best answer to each question:
Question 1
Which of the following is not part of the risk makeup for information security within an organization?
risk assessment/risk analysis
risk mitigation
risk management
risk monitoring
Question 2
Standards bodies produce and issue publications with which companies must comply. In the risk management arena, organizations should initiate which of the following?
self‐audits, risk tolerance, compliance
risk assessments, gap analyses, corrective actions
requirements, analysis, design
risk analysis, corrective action, security awareness
Question 3
Based on ISO 27001, risk analysis includes which of the following processes?
security procedures, information security, financial systems security, asset management, access management, encryption, and communications security
environmental security, operations security, asset security, risk assessment, and development and maintenance
define information security policy, define scope of information security management system (ISMS), conduct risk assessment, manage risks, select control objectives and controls to be implemented, and implement ISMS
Business impact analysis, financial systems management, incident handling, communications, business continuity management, and threat analysis
Question 4
Many security analysts believe that a business impact analysis (BIA) is relevant to information technology. However, which of the following processes is most important to BIA?
due diligence
risk mitigation
supporting the mission of the organization
risk avoidance
Question 5
Risk assessment professionals use automated tools to perform their tasks because they demonstrate which of the following benefits?
reduce time
simplify the process
include threat information and statistics
all of the above
Question 6
Which of the following terms describes the type of organization that purchases and implements insurance to cover any loss to its assets?
risk acceptance
risk transfer
risk reduction
physical security risk containment
Question 7
General risk management comprises which of the following processes?
risk assessment, implementing decisions, and assigning priorities
budgetary impact assessment, risk transfer, implementing risk-reduction measures
risk avoidance, assigning priorities, budgeting
none of the above
Question 8
In a quantitative risk analysis, the formula for calculating annualized loss expectancy (ALE) is which of the following?
annual rate of occurrence (ARO) x single loss return (SLR)
single loss expectancy (SLE) x annual rate of occurrence (ARO)
single loss expectancy (SLE) / annual rate of occurrence (ARO)
none of the above
Question 9
Which of the following is the calculation for single loss expectancy (SLE)?
asset value × exposure factor
annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
asset × vulnerability × threat
asset value × exposure factor AND annualized loss expectancy (ALE) x annualized rate of occurrence (ARO)
Question 10
Which of the following statements best describes residual risk?
security risks that remain after the organization has implemented security controls
residual assets that are susceptible to threats
residual risks that will be mitigated
leftover risks eligible for reevaluation
Question 11
Which of the following statements are true about quantitative risk analysis?
Some parts of it can be automated.
Calculations can be complex.
It requires a high volume of information.
All of the above are correct.
Question 12
All of the following descriptions fit risk analysis except which one?
It is synonymous with risk assessment but not part of overall risk management.
It is the ongoing process of assessing the risk to the business.
It is used to determine adequate security for a system by analyzing threats and vulnerabilities.
It supports the selection of cost‐effective controls to achieve and maintain an acceptable level or risk.
Question 13
Which of the following terms best describes risk analysis when it is done with committee discussions, opinions, surveys, and user input?
quantitative risk analysis
qualitative risk analysis
human aspect risk analysis
joint risk assessment