Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
15 Cards in this Set
- Front
- Back
|
risk is
|
potential harm or loss to a system; the probability that a threat will materialize
|
|
|
Identifying risks
|
Actual threat
Possible consequences if threat is realized Probable frequency of occurrence of threat Confidence threat will happen |
|
|
Asset
|
A resource, process, product, system, etc. The value is composed of cost of creation,
development, license, support, replacement, public credibility, considered costs, lost intellectual property if disclosed, and ownership values. |
|
|
Threat
|
Any event that causes an undesirable impact on an organization. Data classification,
information warfare, personnel, criminal, application, operational |
|
|
Vulnerability
|
Absence of a safeguard.
|
|
|
RM triple
|
Asset, threat, and vulnerability
|
|
|
Exploit
|
A technical means to exploit a vulnerability
|
|
|
Exposure Factor (EF)
|
Percentage loss a realized threat would have on an asset. A hardware
failure on a critical system may result in 100% loss. |
|
|
Single Loss Expectancy (SLE)
|
Loss from a single threat. SLE = Asset Value($) x EF.
|
|
|
Annualized Rate of Occurrence (ARO)
|
Estimated frequency in which a threat is expected to occur.
The ARO range is from 0 (never) to a large number (e.g., minor threats, such as misspellings |
|
|
Annualized Loss Expectancy (ALE)
|
The total of the SLE multipled by the ARO. ALE = SLE x ARO
|
|
|
Safeguard
|
Control or countermeasure to reduce risk associated with a threat.
The absence of a safeguard creates a vulnerability. Look at the cost/benefit analysis of deploying a safeguard. Include the impact on the organization of implementing the safeguard. The safeguard must be auditable. Value to organization of safeguard = ALE (before implementation) – ALE (after implementation) – annualized safeguard cost. |
|
|
Elements of Risk Analysis
|
Quantitative RA – Assigns objective dollar costs to assets
Qualitative RA – Intangible values of data loss and other issues that are not pure hard costs (i.e. high, medium and low risk categories) |
|
|
Risk Analysis Steps
|
Identify asset. Estimate potential losses to assets by determining their values.
Identify threats. Analyze potential threats to assets. Determine risk. Qualitatively and/or quantitatively evaluate the degree of risk. |
|
|
Risk Management Techniques
|
Once you have identified risks, you may choose one or more of the following four risk management techniques
for each identified risk: Mitigate the risk – Put controls in place that reduce the risk to the organization (e.g., install a lock on a door to reduce the risk of unauthorized entry). Avoid the risk – Change the organization's activities to completely avoid the risk (e.g., move from Florida to Indiana to avoid hurricanes). Accept the risk – Acknowledge the risk and take no action whatsoever (e.g., realize that there's a slight chance that a volcano might erupt in southern California but accept that risk without doing anything about it). Transfer the risk – Place the burden of the risk on someone else (i.e., buy insurance to protect against fire). |
