IT Risk Management Class #6

Questions and Answers

Which item is not typically considered when determining in-scope assets for cybersecurity risk assessment?

Physical facilities such as data centers

Systems that process sensitive information

Third-party vendor assessment criteria (correct)

Internet-facing services

What type of organizations often seek external consultancy for cybersecurity assessments?

Sectors with low data sensitivity

Startups with minimal IT infrastructure

Organizations in industries with high cybersecurity risks (correct)

Non-profit organizations only

Which of the following is considered a common vulnerability associated with threat actors?

Strong access controls

Poor physical security (correct)

Robust incident response plans

Regular security audits

In the context of cybersecurity threats, what do 'common asset containers' refer to?

Physical and virtual infrastructure supporting services

Which type of environment is considered within the desktop environment and end-user devices for risk prioritization?

Mobile devices and desktops

Which type of business impact is most commonly associated with the disclosure of information in cybersecurity?

Financial Loss

What is a primary barrier to implementing threat modelling tools in organizations?

Insufficient documentation of classified information

What is the purpose of conducting interviews with stakeholders during a Threat Modelling exercise?

To collect qualitative insights that inform the T-M process.

Which of the following documents is NOT typically reviewed during a Threat Modelling exercise?

Marketing plans

Which of the following best describes a common consequence of a denial of service attack?

Reputational Impact

In the context of risk assessment, who should ideally sponsor a threat modelling exercise?

Senior management

Before starting a Threat Modelling exercise, why is it important to define the scope?

To prevent misunderstandings among stakeholders.

Which of the following impacts is particularly associated with the theft of service?

Financial Loss

How should a Threat Modelling methodology be approached if no specific requirements are given by the sponsor?

Communicate your proposed methodology and address stakeholders' concerns.

What is one common method for mitigating the lack of internal resources for cybersecurity risk management?

Outsourcing cybersecurity functions

What essential aspect must be considered to determine the timeline for a Threat Modelling exercise?

The variety of information sources and dependency issues.

Which of the following best describes the difference between Risk Assessment and Risk Analysis in the context of Threat Modelling?

Risk Assessment is broader, while Risk Analysis zeroes in on specific risks.

How does the theoretical framework of OCTAVE relate to threat modeling?

OCTAVE serves as a basis for developing a new threat modeling approach.

What should key stakeholders validate during workshops in the Threat Modelling process?

Preliminary findings of the Threat Modelling exercise.

What is an expected outcome if cybersecurity risks are not effectively communicated within an organization?

Increased organizational risk

Which statement accurately reflects the availability of industry methods for Threat Modelling?

While methods differ slightly, their fundamental elements and concepts are quite similar.

What is considered a vulnerability in the context of information security risk assessment?

Weaknesses in systems, processes, or human beings which may be exploited

What does 'residual risk' refer to in risk management?

The value of the net risk after mitigation efforts have been implemented

Which of the following best describes 'inherent risk' in a cybersecurity context?

The value of the unmitigated risk exposure

Which qualitative measure corresponds to high severity and high likelihood?

Critical

What two factors are considered when describing an information security risk?

Platform importance and potential threats

Why is the theoretical risk formula ALE = SLE * ARO rarely used in cybersecurity risk estimation?

Lack of reliable data for estimation

What aspect does 'existing controls and control effectiveness' assess in an organization?

The measures in place to protect against risks

Which statement accurately describes potential threat agents?

They can include both intentional and non-intentional attacks

What is the primary focus of a risk assessment?

To identify and evaluate residual risks

Why is it necessary for risk assessors to consult with control owners?

To evaluate the overall effectiveness of controls accurately

What is a potential outcome of poorly defined incident management controls?

Increased likelihood of successful exploitation by threat actors

Which of the following best describes 'residual risk'?

The level of risk that remains after controls are implemented

What should be done to help mitigate individual biases during risk assessments?

Hold workshops for collective review of outcomes

What is likely to happen if the residual risk is beyond the risk appetite?

A risk response plan will be required

How should effectiveness of controls be measured in an organization?

Through both individual and collective evaluations

What role do internal stakeholders play in the risk assessment process?

They provide final approval and consensus on ratings and scenarios

Study Notes

Assessing Information Security Risk

• Identify the platform or system under assessment.
• Determine the platform's importance to the organization, considering its sensitivity.
• Threat agents could be intentional (hackers) or non-intentional (natural disasters).
• Vulnerabilities include weaknesses in systems, processes, or humans that can be exploited.
• Inherent risk reflects the value of unmitigated risk exposure.
• Understand existing controls and their effectiveness in risk management.
• Residual risk represents the net risk remaining after mitigation efforts.

Qualitative Measures for Risk Level

• Risk severity and likelihood are evaluated in three categories: High, Moderate, Low.
• High severity and high likelihood result in critical risk, necessitating immediate attention.
• The matrix helps identify risk levels, guiding prioritization in addressing vulnerabilities.

Quantitative Risk Formula

• Annualized Loss Expectancy (ALE) is calculated as ALE = Single Loss Expectancy (SLE) * Annual Rate of Occurrence (ARO).
• This formula is less frequently used in cybersecurity due to unreliable data; however, a shift may happen with better data sharing in the industry.

Business Impact of Cyber Attacks

• Attacks lead to immediate and long-term consequences including information disclosure, financial loss, corruption, and reputational damage.
• Legal and regulatory impacts also arise, emphasizing the need for effective risk communication.

Threat Modelling: Reality vs. Expectation

• Despite established frameworks like OCTAVE, many organizations still find threat modeling new and challenging.
• Barriers to implementing threat modeling include lack of tracking documentation, inadequate formal programs, and insufficient internal resources.

Key Questions for Threat Modelling

• Identify who is sponsoring the exercise and the reasons behind it.
• Ensure adequate time for collecting data from diverse sources and understanding dependency issues.
• Define the scope clearly, including whether the focus is organizational-wide or project-specific.
• Determine if there are any specific methodologies mandated by the sponsor, like OCTAVE.
• Organizations often seek external consultancy to prioritize assets at higher risk levels.

Vulnerability Mapping

• Recognize common threat actors, such as crime organizations and nation-states, and typical vulnerabilities they exploit.
• Consider common asset containers like servers, security devices, and infrastructure services affected by vulnerabilities.
• Assess the effectiveness of existing controls against identified scenarios and compile them into a consensus with stakeholders.

Team Collaboration in Risk Assessment

• Engage control owners to evaluate control effectiveness for identified vulnerabilities.
• Consensus among internal stakeholders is crucial for determining residual risk levels within the organization’s risk appetite.
• Workshops facilitate collective decision-making to address biases in risk assessment ratings.

Description

This quiz delves into Threat Modelling and Key Considerations in IT Risk Management. Focused on assessing information security risks, it covers platforms, sensitivity levels, potential threats, and system vulnerabilities. Perfect for students seeking to deepen their understanding of risk management strategies.