Chapter 14 Legal Issues Quantitative Risk Assessment

Questions and Answers

Which of the following represents a primary advantage of using a quantitative risk assessment (RA) approach?

• It simplifies the valuation of intellectual property and competitive advantages by using broad estimations.
• It minimizes the need for detailed asset valuation by focusing on potential risk scenarios, rather than specific asset values.
• It offers an objective and monetary-based evaluation of costs, facilitating direct cost-benefit comparisons of controls. (correct)
• It emphasizes qualitative data, providing a richer understanding of intangible asset values.

What presents a significant challenge when conducting a quantitative risk assessment?

• The straightforward application of standardized risk metrics across different organizational departments.
• The limited need for specialized knowledge in risk management, making it accessible to all team members.
• The ease of assigning precise monetary values to all types of assets, including intangible ones.
• The difficulty in accurately assigning value to assets, especially those with intangible value. (correct)

Why might assigning a monetary value to an organization's intellectual property be difficult during a quantitative risk assessment?

• The subjective and intangible nature of intellectual property makes its financial valuation complex. (correct)
• Intellectual property values are always clearly defined by market standards.
• Assigning values to intellectual property is straightforward as it directly correlates with production costs.
• Organizations generally avoid assigning values to intellectual property due to legal restrictions.

What is the initial step that an RA team should take when performing a quantitative risk analysis?

Assigning a monetary value to each of the organization's assets. (A)

In the context of quantitative risk assessment, what does the determination of the 'exposure factor' directly follow?

The identification of organizational vulnerabilities and threats. (A)

Which consideration most complicates the objective valuation of an asset during a quantitative risk assessment?

The asset's intangible qualities and contribution to competitive advantage, which are subjective. (B)

How does a quantitative risk assessment enable more informed decision-making regarding security controls?

By enabling a direct monetary comparison between the cost of risk and the cost of implementing controls. (B)

Which aspect of asset valuation introduces a degree of subjectivity into quantitative risk assessments, potentially affecting their reliability?

The inherent difficulty in precisely quantifying intangible assets and their strategic value. (B)

An organization experiences a data breach due to a former employee accessing the network with inactive credentials. Which pairing BEST identifies the vulnerability and threat source in this scenario?

Vulnerability: Failure to remove user accounts; Threat Source: Human (terminated employee) (D)

What distinguishes a 'threat' from a 'vulnerability' in the context of cybersecurity?

A vulnerability is a weakness that can be exploited, while a threat is a potential event that could exploit that weakness. (C)

A company updates its security protocols. They decide to re-configure physical security and update user access controls for sensitive data. Why is it important to address both physical and logical vulnerabilities?

Addressing both types of vulnerabilities ensures comprehensive risk mitigation, as exploitation of either can compromise the organization. (C)

Which scenario exemplifies a threat leveraging a technological vulnerability?

An attacker exploits a software flaw to gain unauthorized access to a database. (A)

Consider a scenario where a hospital's IT systems are vulnerable due to unpatched software. Which threat source and potential threat combination poses the GREATEST risk to patient safety and data privacy?

Threat Source: Human (malicious attacker); Threat: Ransomware attack leading to data exfiltration and system downtime (B)

An organization identifies a vulnerability in its remote access system. What proactive measure could BEST mitigate the risk associated with this vulnerability before a threat source can exploit it?

Implementation of multi-factor authentication for remote access and regularly patching the system (C)

A company implements stricter physical security measures at its data center, including biometric access control and surveillance systems. However, it neglects to update its incident response plan to address potential physical breaches. What is the MOST significant shortcoming of this approach?

The company lacks the ability to effectively detect, respond to, and recover from a physical security incident. (D)

A small business uses cloud storage for its sensitive data but fails to configure access permissions properly, making the data publicly accessible. Which of the broad threat categories BEST describes this scenario?

Operational (A)

A manufacturing company wants to improve it's security posture. Which approach BEST integrates vulnerability management and threat intelligence?

Utilizing threat intelligence feeds to prioritize patching of vulnerabilities that are actively being exploited in the wild. (A)

An organization's incident response team discovers a data breach. Further investigation reveals that a misconfigured firewall allowed unauthorized access to a critical database. What type of vulnerability is the misconfigured firewall?

Technological (D)

An organization identifies a high-risk vulnerability through qualitative risk analysis. What is the MOST likely immediate action the organization should take?

Implement controls to mitigate the vulnerability. (B)

What is a major limitation of relying solely on qualitative risk assessments for information security?

It does not provide a clear, financial justification for the investment in security controls. (D)

An organization is deciding between performing a qualitative or quantitative risk assessment. Under what circumstances would a qualitative risk assessment be the MOST appropriate first step?

When the organization needs to quickly identify and prioritize risks without detailed financial analysis. (B)

In the context of risk management, what does a risk level matrix primarily help an organization to determine?

The priority of risks that need to be addressed. (C)

How does a qualitative risk assessment primarily differ from a quantitative risk assessment in evaluating risk?

Qualitative assessments focus on identifying assets, threats, and vulnerabilities, whereas quantitative assessments calculate potential financial losses. (B)

Which of the following actions BEST exemplifies remediating risks associated with terminated employee accounts based on a risk assessment?

Conducting regular audits of active user accounts to identify and remove those of terminated employees. (C)

An organization's risk assessment reveals a significant vulnerability: unpatched servers. Which mitigation strategy demonstrates risk transference?

Purchasing a cyber-insurance policy that covers potential losses from exploits targeting unpatched servers. (C)

What BEST describes the relationship between threats, vulnerabilities, and risk in the context of a risk assessment?

Threats exploit vulnerabilities to create risk; risk is the likelihood and impact of a threat exploiting a vulnerability. (A)

An organization calculates an Annualized Loss Expectancy (ALE) of $250,000 for data breaches. Which action aligns with sensible risk management based solely on this ALE?

Investing $200,000 annually in enhanced cybersecurity measures and employee training. (B)

What does comparing the ALE before and after implementing a control primarily help an organization determine?

The monetary value of the implemented control. (D)

In a quantitative risk analysis, what primary metrics are used by the Risk Assessment (RA) team to prioritize risks for recommending controls?

Annualized Rate of Occurrence (ARO) and Annualized Loss Expectancy (ALE). (A)

When conducting a qualitative risk analysis, how does the Risk Assessment (RA) team categorize and prioritize risks?

By assessing risks based on potential harm, considering likelihood and impact classifications. (D)

A company has an SLE of $500,000, and the ARO is 10%. To mitigate the financial risk, what is the maximum amount the organization should ideally spend on controls annually?

$50,000 (D)

What key factors should the Risk Assessment (RA) team consider when suggesting controls to executive management to mitigate identified risks?

The high priority risks and controls that can mitigate or eliminate those risks. (B)

A natural disaster poses a risk with an SLE of $1,000,000 and an ARO of 3%. After implementing a new security measure costing $15,000 annually, the ARO is reduced to 1%. From a purely financial perspective, what is the value of the safeguard?

$20,000 (A)

An organization identifies a risk with a Single Loss Expectancy (SLE) of $75,000 and an Annualized Rate of Occurrence (ARO) of 20%. After implementing a countermeasure, the ARO is reduced to 5%, but the annual cost of the countermeasure is $4,000. What is the net financial impact of implementing the countermeasure?

A net gain of $5,875 (B)

In the context of risk assessment, what is the primary purpose of performing a cost-benefit analysis for suggested controls?

To present a clear justification for the investment in controls, showing how the benefits outweigh the costs. (A)

An organization calculated its ALE for a specific risk as $100,000. However, due to budget constraints, they can only allocate $75,000 for risk mitigation controls. What is the MOST appropriate course of action?

Prioritize controls that offer the most significant risk reduction within the $75,000 budget. (A)

If a Risk Assessment (RA) team performs a qualitative analysis, how should they demonstrate the effect of suggested controls on a specific threat or vulnerability?

By showing how the suggested control affects the overall risk level. (A)

Which of the following best describes the role of vendor software in Risk Assessment (RA) processes?

Vendor software offers tools and frameworks to assist organizations in completing RAs, but should not be exclusively relied on. (B)

A Chief Information Security Officer (CISO) is evaluating two potential security controls. Control A reduces the ALE from $50,000 to $30,000 and costs $10,000 per year. Control B reduces the ALE from $50,000 to $25,000 and costs $15,000 per year. Which control represents a more cost-effective investment based solely on ALE reduction?

Control A, because it has a lower annual cost. (A)

What is the primary focus of the NIST "SP 800-30 (Rev. 1): Guide for Conducting Risk Assessments"?

Providing a risk assessment methodology that takes qualitative factors into account. (A)

How can organizations utilize ALE calculations beyond simply determining the maximum justifiable investment in security controls?

To compare the cost-effectiveness of different risk mitigation strategies and prioritize resource allocation. (D)

What is the difference between qualitative and quantitative risk assessments, concerning suggesting and showing the affects of controls?

A qualitative analysis should show how the suggested control affects the overall risk level for a specific threat or vulnerability and a quantitative analysis should include a cost-benefit analysis for each suggested control. (C)

An organization is developing an IT contingency plan. What initial step is MOST crucial for them to undertake?

Conducting a comprehensive risk assessment to identify vulnerabilities and threats. (C)

Which of the following BEST describes the primary goal of IT risk management?

To understand, assess, and mitigate risks to an acceptable level to protect resources and data. (B)

An organization identifies a critical vulnerability in its web application allowing potential SQL injection attacks. Which action aligns BEST with a risk mitigation strategy?

Immediately patching the vulnerability and implementing a web application firewall (WAF). (D)

In the context of risk management, what does understanding the 'security posture' of an organization primarily involve?

Evaluating the organization's current security strengths, weaknesses, and overall risk exposure. (B)

An organization is struggling to meet its information security goals. What is the MOST likely underlying cause, according to the text?

Inadequate understanding of its risks and vulnerabilities. (B)

What is the MOST effective method for an organization to strengthen its information security posture?

Developing a comprehensive risk management process to identify vulnerabilities and understand potential threats. (B)

What activity is CRITICAL when planning for contingencies within an organization's broader risk management framework?

Integrating risk management findings into the development and refinement of tailored contingency plans. (C)

Which of the following activities is MOST important for supporting overall information security goals?

Implementing a structured risk management process (D)

Flashcards

Risk Management

The process of identifying, assessing, and prioritizing risks.

Security Posture

An organization's overall security state, including strengths and weaknesses.

Contingency Plans

Plans for responding to significant disruptions or emergencies.

Vulnerabilities

Weaknesses in a system that can be exploited by threats.

Threats

Potential dangers that can exploit vulnerabilities.

IT Risk Management

Safeguarding digital data and IT infrastructure.

Contingency planning

The ability to respond effectively to unexpected events

Risk Management goal

Understanding the risks, vulnerabilities, and threats an organization faces daily.

Quantitative Risk Assessment

Assigns real numbers to asset values and control costs for objective, monetary-based risk assessment.

Advantage of Quantitative RA

Provides an objective, monetary-based assessment of costs of risks and controls.

Benefit of Quantitative RA

Directly compares the cost and benefits with each recommended control.

Challenge of Quantitative RA

Assigning accurate value amounts to each of the organization’s assets.

Factors Shaping Asset Cost

Cost of development and ongoing cost of maintaining the asset each year.

Hard-to-Measure Asset Value

Intellectual property or providing a competitive edge.

Subjectivity in Quantitative RA

There is a subjective element to values, particularly if it has intangible value.

Exposure Factor

After determining vulnerabilities and threats, the RA team must determine exposure factor.

Threat Source

A person or circumstance that can potentially harm a system or organization.

Vulnerability

Weaknesses in a system that threats can exploit.

Human Threats

Threats caused by actions, either malicious or unintentional, of people.

Natural Threats

Threats caused by events like floods, earthquakes, or storms.

Technology Threats

Threats related to hardware or software failures, or network issues.

Operational Threats

Threats from flaws in policies and procedures.

Physical/Environmental Threats

Threats such as theft, vandalism, or environmental hazards.

Deliberate Threats

Threats carried out intentionally to cause harm.

Accidental Threats

Threats that happen by accident or without planning.

Terminated Employee Threat

When terminated employees retain access to IT resources, leading to data theft or destruction.

Annualized Loss Expectancy (ALE)

The total expected loss from a risk over one year.

ALE Equation

An equation to calcute Annualized Loss Expectancy.

What creates ALE?

The product of Single Loss Expectancy and Annualized Rate of Occurrence.

Single Loss Expectancy (SLE)

The estimated financial impact of a single occurrence of a risk.

Annualized Rate of Occurrence (ARO)

The estimated frequency of a risk occurring in a year.

ALE Spending Limit

Don't spend more on security than the potential loss.

Value of a Security Control

Determining safeguard value by comparing ALE before and after control implementation.

Why Calculate ALE?

Evaluating total yearly losses.

Risk Prioritization (Quantitative)

Prioritize risks by Annualized Loss Expectancy (ALE) and Annualized Rate of Occurrence (ARO) in quantitative analysis.

Risk Prioritization (Qualitative)

Classify risks by potential harm, considering likelihood and impact in qualitative analysis.

RA Team Recommendations

Suggest controls to executive management for high-priority risks.

Qualitative Analysis Outcome

It shows how the suggested control affects the overall risk level for a specific threat or vulnerability.

Cost-Benefit Analysis

A detailed examination of the costs versus the benefits of implementing a specific control.

Qualitative Risk Analysis

A method for conducting risk assessments which uses descriptive categories rather than numerical values to define risk components.

Quantitative Risk analysis

A method for conducting risk assessments which uses numerical values to define risk components.

NIST SP 800-30

A guide by NIST which provides a qualitative risk assessment method.

Risk Level Matrix

A tool used to prioritize risks based on their potential impact and likelihood.

Risk Mitigation

Recommending and applying security measures based on identified risks and their levels.

Account Termination

Controls should be implemented to remove user accounts for terminated employees in a timely manner.

Qualitative Risk Issue

Difficulty quantifying the cost-benefit of security controls.

Overspending on Controls

Spending too much on a security control relative to the potential loss from a risk.

Quantitative Analysis preference

May prefer Quantitative Risk Analysis

Study Notes

Risk Analysis, Incident Response, and Contingency Planning

• Risk management is an important tool which helps an organization understand the risks, vulnerabilities, and threats it faces daily, to strengthen its security posture.
• Organizations cannot meet information security goals or protect resources and data without understanding IT risks.
• Fundamental risk concepts are reviewed and how organizations use risk management to create contingency plans is explained

Contingency Planning

• Organizations must plan for various events, include all types of planning to ensure operation during interruptions, emergencies, or disasters, not limited to IT assets.
• Recent dramatic events like the September 11 attacks, power-grid failures, H1N1 flu outbreak, and California wildfires highlight the need for contingency plans.
• Contingency plans are holistic, covering the whole organization and its processes, identifying critical operations for business survival and recovery.
• These plans include IT resources and operations, as many organizations depend on IT for data storage and automated processes.
• Focusing on protecting and recovering IT assets is vital for contingency planning, especially for small organizations, as 43% of cyberattacks target them.
• Incident response (IR), disaster recovery (DR), and business continuity (BC) planning are discussed in relation to IT resources.
• Contingency planning's scope ranges from life safety to business continuity without electricity, focusing on IT resource security.
• Although each has different goals, contingency plans share the same foundation, requiring risk analysis to understand and protect IT resources.
• Organizations cannot create any contingency plans until it understands the risks to its IT resources.

Risk Management

• According to NIST, risk management is a complex, multifaceted activity requiring the involvement of the entire organization.
• Risk management identifies risks, ensures cost-effective responses, and supports business goals.
• One of the main goals of risk management is to protect the organization's bottom line, aligning information security practices with business objectives.
• Organizations use risk management to plan and prioritize its information security activities.
• A risk analysis of a database with customer data, for example, shows a vulnerability because system administrators share a single account with a weak password.
• The database is therefore open to attack which can compromise the confidentiality and availability of data.
• As part of its RM function, the organization reviews the potential impact of this risk and considers costs like customer notification, regulatory reporting, fines, lawsuits, and operational issues.
• Steps are taken to mitigate the risk by requiring system administrators to use individual accounts with multifactor authentication and properly backing up customer data.
• The RM process identifies risks, offers solutions, secures resources, and protects business operations and bottom line including:
  • Risk assessment to identify threats and vulnerabilities
  • Risk response with policies to respond to risks
  • Employee training on threats and vulnerabilities
  • Continuous monitoring to update policies and controls
• RM process and information form the basis for an organization's contingency plans, of which BC and DR are examples that respond to natural or man-made disasters through discovery during the RM process.

Risk Assessment Process

• Risk assessment identifies threats/vulnerabilities to IT resources, reviews probability of occurrence (realized risk), potential harm, and policies/controls to respond.
• Risk response reduces realized risk to an acceptable level, with the remaining risk known as residual risk.
• Risk assessment supports executive management in making informed decisions about information security controls.
• Without risk assessment, management cannot know if the controls and policies it implements are needed or cost effective.
• The steps in a risk assessment are:
  • Inventory the assets included in the assessment
  • Identify threats and vulnerabilities to those assets
  • Categorize likelihood of occurrence and potential loss
  • Document where controls are needed.
• An RA team should include people with different roles, from IT personnel to business personnel.
• RA team members must be objective and must avoid conflicts of interest.
• Consultants can help with objectivity and risk analysis expertise, but they need to learn business processes, IT systems, and respect culture quickly.
• Collecting information about assets and risks and reporting assessment results to executive management is the task of a RA team.
• An RA must be narrowly scoped, and focused, reviewed one component at a time, in order to be manageable.
• The RA teams should consider:
  • Personnel
  • Data
  • Hardware and software
  • Physical facilities
  • Business process workflows
  • Safeguarding controls
• IT resources need to know how vulnerabilities and threats might affect confidentiality, integrity, and availability.
• A vulnerability is a weakness or flaw in an IT system, while a threat is anything harmful.
• There are four broad categories of vulnerabilities:
  • People
  • Process
  • Facility
  • Technology
• While threats include:
  • Human
  • Natural
  • Technology and operational
  • Physical and envioronmental
• Threats are can be deliberate or accidental.
• To identify vulnerabilities, the team should review policies, procedures, industry guidelines, and use automated scanning.
• It isn't possible to identify every vulnerability, such as zero-day exploits because technology changes so rapidly.

Likelihood and Potential Loss

• The risk team determines how likely risk is and potential loss as quantitative or qualitative measure, depending on risk methodology.
• Quantitative analysis uses real numbers to calculate risk and potential loss, assigning real numbers to asset values and control costs.
• Quantitative provides monetary-based assessment, understanding both the costs of risk and controls, allowing to compare costs with recommended controls.
• Disadvantages:
  • It is difficult to administer
  • Assigning value to all the assets
• The exposure factor is the percentage of asset loss likely caused by an identified threat.
• Single loss expectancy, or SLE, = asset value x Exposure factor (the amount of money the organization loses if realized) is another factor
• ARO stands for "annual rate of occurrence": it refers to how many times a specific risk might occur during a 1-year time frame
• ALE, or Annualized loss expectancy, is the SLE multipled by the ARO
• Qualitative (subjective) Risk Analysis, in contract, uses scenarios and ratings systems to calculate risk and harm without assigning money value, rather descriptive categories.
• The advantages of this approach are:
  • Easy to use and does not require specialized financial knowledge.
• However
  • It is very subjective
  • Lacks real numbers
• Impact categories and likelihood help compare risks measured by:
  • Low - Events that are unlikely to happen within a year
  • Medium - Events that are that somewhat likely to happen within a year
  • High - Events that are likely to happen within a year
• The team will then need a way to correlate and compare risk for where to apply controls.

Document Needed Controls

• Document security controls by: reviewing assessment results, prioritizing by ALE and recommending controls.

Risk Assessment Methods

• Variety of RA processes and software are available from vendors. Examples include:
  • NIST "SP 800-30 Guide for Conducting Risk Assessments" (qualitative)
  • ISO 31010 "Risk Management – Risk Assessment Techniques"
  • MoR framework
  • Carnegie Mellon University's OCTAVE (qualitative and self-directed)
  • Thomas Peltier's FRAAP (based on ISO/IEC 27001)
  • Microsoft's "Security Risk Management Guide" (quantitative and qualitative elements)
• Executive management reviews report and uses it as part of information security governance, show due care and due diligence.

Risk Response

• Executive management must decide org's response: actions to reduce risk to acceptable level with the most appropriate and cost-effective controls and minimum impact.
• Risk avoidance applies controls or action to avoid particular risk completely.
• Example system owners can disable functions
• Risk mitigation applies to reduce a particular risk to acceptable level (residual risk).
• Example: use access controls to only trusted employees.
• Organizations can use risk transfer (insurance) to transfer the risk through cyberliability policies
• Organizations can implement risk acceptance and intentional do nothing for the potential risk.

Training Employees and Continuous Monitoring

• Employees should is included in the Risk Management process:
  • Often employees can contribute to organizational risk
  • Org policies direct employee behavior to reduce risk
  • Training keeps employees aware of security responsibilities
• Organizations must always maintain continuous monitoring of :
  • Information security risk.
  • Of the controls that are put into place
  • Executive management must be diligent reviewing risk because technology changes quickly

Three Types of Contingency Planning

• Conducting an RA forces organizations to plan for risks it accepts/cannot avoid by limiting financial loss from adverse events, minimizing service and process interruptions, and customer impact.
• The three main types of contingency plans are:
  • Incident response (IR) plans
  • Disaster recovery (DR) plans
  • Business continuity (BC) plans
• Organizations create these plans to respond to IT resources and business processes from an info secu perspective.
• Preserve human life with these plan in mind

Incident Response Planning

• This is where the organization's IR process reacts to IT attacks and help sure the org can recover from security incidents, continuing operations.
• Incident Response or Incident Handling describes actions to:
  • Detect information security incidents
  • Determine cause
  • Mitigate damages from incident
  • Recover

Defining an Incident

• Incidents describe the adversity in confidentiality, integrity, and availability of a organizations data.
• Organizations need to use acceptable use polices to help define usage of IT resources for employees.
• Important parts of IR include documentation, creating incident response teams that include different cross-department advisors such as:
  • Information security/ IT
  • Legal counsel
  • HR
  • Auditing

IR Plan Process

• The IR plan should outline:
  • Incident Triage
  • Investigation
  • Containment/Mitigation
  • Recovery
  • Review

Incident Triage

• Incident triage represents the first phase in the Incident Response process
  • This is where a potential incident is initially accessed
  • The primary handler makes sure that an adverse event meets the "incident designation"
  • There can be Operational Incident teams that include the previously listed departments

Operational Incident Roles

• Victim - of incident
• Attacker - the person who caused incident -Incident report- person how reports incident -Primary handler- Person who is in charge of coordinating the response to a particular incident

Classifications

• Incidents also sorted by threat or exploited vulnerability
• Organizations use incident categories based on NIST guidance. -Such as DHS's NCCIC (used by US CERT which all agencies must report)

Investigation

• This phase details what the incident, source, and the impact have on an organization.
• These handlers must always be fully documented, be kept on staff, in case of regulatory requirements.
• There should be internal policies and if it is deemed a crime, handlers need to follow good evidentiary practices to contact law enforcement.
• Incident response begins its containment/mitigation step as fast as possible but can range based on the incident.
• Damaged IT need to be repaired and not vulnerable to similar future events.

Disaster Recovery and Business Continuity Planning

• DR and BC plans assist an organization to respond to events that can make business operations collapse and can negatively affect critical business functions. Incident are less severe and easier to deal with than disasters.
• Natural and human caused threats can include earthquakes, sabotage, terrorists etc
• Organizations should measure to limit damaged caused by potential disasters.

DR and BC

• DR plans focus on an organization's recovery. Usually focusing on IT systems
• BC is an organization's operations during and after IT recovery

DR and BC TEAMS

• Consist of:
  • IT
  • Legal counsel
  • HR
  • Executive management
  • Physical security

DR/BC Plan Development

• Similar to Ra and IR planning, DR/BC planning consists of:
• BC Policy
• Business impact analysis
• Potential controls and threats
• Recovery Strategy
• Design and maintain the policy
• Analysis used to estimate business impact and help with decision.

Preventative Controls

• Consist of Fire suppression
  • Generator back up -Offsite backup -Data backup

Backup Site Options

-The organization needs a place with backups to move its operations to -Mirrored sites are fully operational, but most expensive -Hot- site, an operational backup that can become operational rather fast -Warm-site- a partial site with some things, such as electricity and network -Cold site- cheap as it is, but has nothing (no hardware or connectivity), can take weeks to establish -Employee environment where employee has backup so they can communicate -IT operation also needs back plan, vendors have contracts so they can retrieve equipment quickly.

• After, plans should be monitored for changes and personnel
• There should be plans to react to events that affect IT resources/businesses

Testing The Plan

Contingency plans can be conducted through tests

• A test can include things such as familiarizing work flows, emergency train and identidying deficiencies. Some testing tools can consist of -checklist test, walk-through test to help with employees. Simulation and full interruption test to see the effects of business activities.

Special Considerations

RM and contingency planning are good business that that help with planning of threats for the wellbeing of the business.

Compliance in Planning

• It is worth addressing that for many organizations, it may or may not be required by law.
• Under common law (reporting) the US does not require crimes they witness There are some instances where it may be required, such as child vulnerability in danger.

Public Relations

Organizations need to account for communication because communication can overload the system. In regional disasters for resources, there can be an impact. PR is a marketing to manage an org's image by: -Who is authorized to comment -content shared with the public -information shared with the public -How all this is shared if there are communication method unavalibility.

Description

Test your knowledge of Quantitative Risk Assessment. Questions cover advantages, challenges, valuation, and the steps in performing a quantitative risk analysis. Assess your familiarity with exposure factors and decision-making related to security controls.