What Do You Know About Risk Management? Quiz

1. Identifying, assessing, and reducing risk to an acceptable level and maintaining the achieved level is referred to as___________________.

A. Risk planning

B. Risk management

C. Security management

D. Operations management

Risk management plays a key role in the overall security program. Managing risk is a daunting task because therre are so many risks to content with.

Explanation

Risk management plays a key role in the overall security program. Managing risk is a daunting task because therre are so many risks to content with.

2. Jim is attempting to justify the security controls he wants to implement at his organization. What would be his FIRST step to convince his leadeship chain?

A. Conduct a counter analysis

B. Perform a risk analysis

C. Perform a top-down analysis

D Perform a bottom-up analysis

Performing a risk analysis will provide a means to justify the expense and the countermeasure that must be implemented. It will outline the possible threats and current weaknesses, which is necessary in building a case for purchasing and implementing a countermeasure.

Explanation

Performing a risk analysis will provide a means to justify the expense and the countermeasure that must be implemented. It will outline the possible threats and current weaknesses, which is necessary in building a case for purchasing and implementing a countermeasure.

3. Risk should not be handled in which of one of the followin:

A. Reduce the risk

B. Accept the risk

C. Transfer the risk

D. Reject the risk

Rejecting risk and threat potential is a violation of the due care responsibility that each company's management team is held liable for. Rejecting risk means ignoring it exists and neglecting to take any steps to mitigate the risk.

Explanation

Rejecting risk and threat potential is a violation of the due care responsibility that each company's management team is held liable for. Rejecting risk means ignoring it exists and neglecting to take any steps to mitigate the risk.

4. Who sets the acceptable risk level for an organization?

A. Govern agencies that create regulations

B. Senior management

C. Auditors

D. Security analyst

An organization's acceptable risk level needs to be set by the people ultimately responsible - senior management. Often they will work witha security analyst to help them understand their current risk level, government regulation requirements, and other items which all factor into establishing it. But senior management has to "sign" off on the level, thus they are ultimately the ones who set it.

Explanation

An organization's acceptable risk level needs to be set by the people ultimately responsible - senior management. Often they will work witha security analyst to help them understand their current risk level, government regulation requirements, and other items which all factor into establishing it. But senior management has to "sign" off on the level, thus they are ultimately the ones who set it.

5. What does it mean that a risk should be accepted based on cost, pain, and visibility?

A. A company should choose to accept a risk if it is an economnical decision, it can live with the vulnerability, and it won't be viewed as irresponsible in the industry

B. A company should choose to accept a risk if it is an emotional decision, it can live with the vulnerability, and it won't be viewed as irresponsible in the industry

C. A company should choose to accept a risk if it is an economnical decision, it can live with the vulnerability, and it won't be viewed as responsible in the industry

D. A company should choose to accept a risk if it is an economnical decision, it can live with the vulnerability, and it will be viewed as irresponsible in the industry

When a company decides to accept a risk, it should be a decision based on cost (countermeasure costs more than potential loss) and pain (company can live with the vulnerability and threat). But the company must also understand that accepting a specific risk, is a visibility decision in that it may impact their industry reputation.

Explanation

When a company decides to accept a risk, it should be a decision based on cost (countermeasure costs more than potential loss) and pain (company can live with the vulnerability and threat). But the company must also understand that accepting a specific risk, is a visibility decision in that it may impact their industry reputation.

6. What is the purpose of an Information Risk Management policy?

A. It outlines the infrastructure for a company's risk management (IRM) processes and procedures

B. It provides direction for how the IRM team works with government agencies

C. It is the ncessary key for proeprly detectting administrative, physical, and technical threats

D. It replaces a company's security policy because it is more expansive and far reaching

The policy provide sthe infrastructure for the organizaition's risk management processes and procedures and should address all issues of information security, from personnel secreening and the insider threat to physical securfity and firewalls. It should provide direction on how the IRM team should relay information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.

Explanation

The policy provide sthe infrastructure for the organizaition's risk management processes and procedures and should address all issues of information security, from personnel secreening and the insider threat to physical securfity and firewalls. It should provide direction on how the IRM team should relay information on company risks to senior management and how to properly execute management's decisions on risk mitigation tasks.

7. A proper risk analysis has specific steps and objectives that it needs to accomplish. Which of the following lists these items?

A. Identify assets and their values; identify vulnerabilities and threats; quantify the probability and business impact of these potential threats; and provide non-economical countermeasure recommendations.

B. Identify assets and their values; identify vulnerabilities and threats; quantify the probability and business impact of these potential threats; and provide economical countermeasure recommendations.

C. Identify assets; identify vulnerabilities and threats; quantify the probability and business impact of these potential threats; and provide economical countermeasure recommendation

D. Identify assets and their values; identify fraud and collusions; quantify the probability and business impact of these potential threats; and provide economical countermeasure recommendation

The correct answer is B because it accurately lists the specific steps and objectives of a proper risk analysis. It includes identifying assets and their values, identifying vulnerabilities and threats, quantifying the probability and business impact of these potential threats, and providing economical countermeasure recommendations. This comprehensive approach ensures that all necessary factors are considered and addressed in order to effectively manage and mitigate risks.

Explanation

The correct answer is B because it accurately lists the specific steps and objectives of a proper risk analysis. It includes identifying assets and their values, identifying vulnerabilities and threats, quantifying the probability and business impact of these potential threats, and providing economical countermeasure recommendations. This comprehensive approach ensures that all necessary factors are considered and addressed in order to effectively manage and mitigate risks.

8. Chrissy is performing a risk analysis. To complete one step, she answers these questions: what is the value of the asset to the company, how much does it cost to maintain it, what is its role in the company, how much would it be worth to the competition. What risk analysis step has Chrissy performed?'

A. Assigning values to assets

B. Estimating loss per risk

C. Performing a threat analysis

D. Assigning the risk

Chrissy has performed the risk analysis step of assigning values to assets. In this step, she assesses the value of the asset to the company, the cost of maintaining it, its role in the company, and its worth to the competition. By assigning values to assets, Chrissy is able to determine their importance and potential impact on the company's overall risk. This step is crucial in identifying and prioritizing risks in order to develop effective risk management strategies.

Explanation

Chrissy has performed the risk analysis step of assigning values to assets. In this step, she assesses the value of the asset to the company, the cost of maintaining it, its role in the company, and its worth to the competition. By assigning values to assets, Chrissy is able to determine their importance and potential impact on the company's overall risk. This step is crucial in identifying and prioritizing risks in order to develop effective risk management strategies.

9. Which of the following is NOT an important aspect of an organizational security policy?

A. The policy should dictate business objectives

B. It should be develoed and used to integrate security into all business function and processes

C. Each iteration of the policy should be dated and under version control

D. It should be reviewed and modified as a company changes

The security policy has several important characteristics that need to be understood and implemented:

* Business obejctives shold drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives.

* It should be an easily understodd document that is used as a reference point for all employees and management.

* It should be developed and used to integrate security into all business function and processes.

* It should be derived from and support all necedssary legistlation and regulation applicable to the company.

* It should be reviewed and modified as a company changes through adotping of new business models, merging with another company, or being purchased.

* Each iteration of the policy should be dated and under version control.

Explanation

The security policy has several important characteristics that need to be understood and implemented:

* Business obejctives shold drive the policy's creation, implementation, and enforcement. The policy should not dictate business objectives.

* It should be an easily understodd document that is used as a reference point for all employees and management.

* It should be developed and used to integrate security into all business function and processes.

* It should be derived from and support all necedssary legistlation and regulation applicable to the company.

* It should be reviewed and modified as a company changes through adotping of new business models, merging with another company, or being purchased.

* Each iteration of the policy should be dated and under version control.

10. Because of the varying perspectives that senior managers incorporate into their business structure (strategy), there are always different ways to accomplish the same thing. Risk analysis is no different. Qualitative Risk Analysis and Quantitative Risk Analysis are very differnet from one another but both reprsent a way of managing risk. Which of the following action is not a characteristic of Qualitative Risk Analysis?

A. Instituting an employee survey to gather results based upon their opinions

B. Department heads-only meeting to brainstorm ideas

C. Soliciting data from several departments in order to assign an accurate monetary value to an asset.

D. Constructing and using a rating sytem

A major them in Qualitative Risk Analysis is that it includes opinions based on people'[s experience and knowledge. While this is typcially true, the underlying difference between qualitative and quantitative is that qualitative categorizes threats and losses and quantitative places actual numeric and monetary value on them.

Explanation

A major them in Qualitative Risk Analysis is that it includes opinions based on people'[s experience and knowledge. While this is typcially true, the underlying difference between qualitative and quantitative is that qualitative categorizes threats and losses and quantitative places actual numeric and monetary value on them.

11. A company cannnot eliminate all risk. The risk that remains is refferred to as residual (or acceptable) risk and the company must determine if this corresponds with their acceptable level or risk. Which of the following defines residual risk?

A. Asset value x exposure factor

B. Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)

C. (Threats x vulnerability x asset value) x control gap

Threats x vulnerability x asset value

Residual risk is the amount of risk remaining after the countermeasure has been implemented. To figure out the actual resdidual risk, the team must identify and calculate the risk, which is: threats x vulnerability x asset value. Then, the team must calculate the control gap, which is what the countermeasure cannot provide protection for. The result is residual risk. A company must decide if the residual risk falls within their acceptable level or risk. If it does, and a cost-benefit analysis has been carried out, then the countermeasure can be purchased and installed.

Explanation

Residual risk is the amount of risk remaining after the countermeasure has been implemented. To figure out the actual resdidual risk, the team must identify and calculate the risk, which is: threats x vulnerability x asset value. Then, the team must calculate the control gap, which is what the countermeasure cannot provide protection for. The result is residual risk. A company must decide if the residual risk falls within their acceptable level or risk. If it does, and a cost-benefit analysis has been carried out, then the countermeasure can be purchased and installed.

12. Which statement describes the proper relationship of the wrods "threats," "expsoure," and "risk?"

A. An exposure gives rise to a threat which exploits a risk and leads to a vulnerability

B. A risk causes a vulnerability that leads to a threat and cause an exposure

C. An exposure allows a weakness that leads to a threat creating an exposure

A threat is that a threat agent will exploit a vulnerability. The probability of this happening is the risk. Once the vulnerability is exploited there is an exposure.

A compnay may identify a vulnerability, which is a weakness or a lack of a safeguard. Then they need to identify the threat agent that could capitalize on this vulnerability. The threats lies in the possibility that soneone would exploit this vulnerability. The probability of this taking place is the risk, which has to be calculated.

Explanation

A compnay may identify a vulnerability, which is a weakness or a lack of a safeguard. Then they need to identify the threat agent that could capitalize on this vulnerability. The threats lies in the possibility that soneone would exploit this vulnerability. The probability of this taking place is the risk, which has to be calculated.