Cyber Risk Assessment Stages - Week 7

Questions and Answers

What is the primary goal of establishing context in a cyber risk assessment?

To reduce firewall costs

To ensure stakeholder confidence and legal compliance (correct)

To avoid identifying threats

To identify all software vulnerabilities

Asset identification is only concerned with external factors impacting cyber risk.

False

What are the two main categories of threats during risk identification?

Malicious and Non-Malicious

The process of mapping points where systems interface with networks is called _____ identification.

attack surface

Match the terms to their definitions:

Malicious Threat = Started with identifying sources and motives Non-Malicious Threat = Begins with incidents and works backwards Asset Identification = Determining what needs protection Attack Surface = Mapping system interfaces with networks

Which of the following factors is considered an external context in a risk assessment?

Regulations and laws

Technical data such as logs is not useful for identifying risks.

False

The scales for risk evaluation help to define _____ and impact scales.

likelihood

What is the first step in the process of identifying threats?

Threat Identification

Vulnerability scanners are only used for identifying threats.

False

What scales can be used to evaluate the severity of vulnerabilities?

High, Medium, Low

The process of examining how threats can impact assets is known as __________.

Risk Analysis

Match the following analysis types with their descriptions:

Threat Analysis = Assess likelihood of identified threats Vulnerability Analysis = Evaluate vulnerability likelihood and severity Incident Analysis = Determine impact of incidents on assets Consequence Analysis = Document potential outcomes of incidents

What approach does Non-Malicious Threat Identification follow?

Following the reverse order from incidents to threats

Logs and industry data are irrelevant in estimating threat likelihoods.

False

What type of evidence is critical for continual risk treatment?

Evidence and reasoning

Study Notes

Cyber Risk Assessment Stages

• Context Establishment is crucial for a successful assessment. Incorrect context can impact the entire process.
• Goals and Objectives need to be defined, including aims like reducing cyber attack likelihood and ensuring stakeholder confidence in security and compliance.
• Scope and Focus should be determined, potentially limiting the assessment to certain parts of the system and defining assumptions like insider motivations.
• Internal and External Context is important, considering external factors (regulations, laws, customer expectations) and internal aspects (assets, processes, risk management constraints).
• Assets need to be identified for protection, considering factors like integrity, availability, and confidentiality.
• Risk evaluation uses scales to assess likelihood and impact, categorizing risks into, for example, minor or major, to decide on mitigation actions.
• Potential consequences of each asset need to be defined, understanding the impact of each risk, with supporting evidence.
• Attack surface identification maps system interfaces (e.g., internet, mobile) to find potential entry points for attackers.

Risk Identification

• Purpose is to identify potential malicious and non-malicious attacks on the system.
• Malicious vs. Non-Malicious attacks are handled differently – malicious attacks start by identifying sources, threats, vulnerabilities, and incidents; non-malicious attacks reverse the order, starting with incidents.
• Identification Techniques include technical data (logs, penetration testing), and input from developers, operators, and external experts. Interviews and brainstorming also gather diverse perspectives.
• Identifying Malicious Threats follows steps like identifying adversaries and threat sources, identifying potential threats by each source, identifying and assessing vulnerabilities, and documenting specific incidents resulting from vulnerabilities and threats.
• Non-Malicious Threat Identification follows a reverse order, starting from incidents and moving backward to identify vulnerabilities, threats, and sources.

Analysis

• Purpose of risk analysis is to evaluate the level of risk by analyzing threats, vulnerabilities, likelihoods, and consequences.
• Likelihood and Severity Assessment uses frequency (e.g., rare, every 10 years) to rate threat likelihood and vulnerability severity (high/medium/low); reasoning must be documented. Incident likelihood is also rated on a frequency scale.
• Sources for Estimation include logs, industry data, security data, and expert judgment. The basis for each assessment should be clearly documented.
• Threat Analysis involves assessing the likelihood of each identified threat, differentiating between malicious and non-malicious.
• Vulnerability Analysis uses tools like scans and code reviews to evaluate vulnerability likelihood and severity, rated using accessible scales.

Incident and Consequence Analysis

• Incident and Consequence Analysis determines the impact of incidents on each affected asset, referencing the scales defined in context establishment. Assessments should be documented.
• Continual Risk Treatment applies treatment that affects risks, regularly inspected by new teams and regulators. Evidence and reasoning are critical.

Description

Learn about the critical stages involved in conducting a cyber risk assessment. This quiz covers context establishment, defining goals, determining scope, and evaluating risks associated with assets. Enhance your understanding of internal and external contexts to better prepare for security compliance.