Risk in Business Continuity Management

Questions and Answers

Which of the following best describes the quantitative measure of risk?

• The average information security controls to be deployed.
• The specific set of potential losses related to risk exposure.
• The potential assets owned by an organization.
• The potential damage caused by a threat, vulnerability, or event to IT assets. (correct)

According to the framework described, what three variables primarily determine risk assessment?

• Likelihood of occurrence, detection methods, and recovery time.
• Strength of threat agent, presence of vulnerabilities, and potential impact. (correct)
• User awareness, system complexity, and data sensitivity.
• Cost of controls, asset value, and regulatory compliance.

Which statement correctly relates the variables of threat, vulnerability, and impact to overall risk?

• Risk increases if vulnerability decreases; risk decreases if the impact increases.
• Risk is independent of the strength of the threat agent but directly proportional to the impact.
• Risk increases if threat increases; risk remains constant if vulnerability decreases.
• Risk approaches zero if any of the variables (threat, vulnerability, or impact) approaches zero. (correct)

In the context of risk assessment, how are Risk Assessment (RA) and Business Impact Analysis (BIA) typically related?

They are often intertwined, with RA identifying risks and BIA covering the impact. (C)

What does 'Risk Appetite' refer to in the context of risk management?

The total amount of potential loss a business is willing to accept. (C)

Why is risk assessment necessary for an organization?

To reduce risk as much as practically possible and meet various requirements. (B)

What is the initial step in the Risk Assessment (RA) process?

Identifying threats at a conceptual level. (A)

When is cost justification typically addressed during the Risk Assessment process?

After the Business Impact Analysis (BIA) is completed. (A)

An organization decides to install CCTV cameras to prevent theft. Which risk management option does this represent?

Reducing the risk (B)

What does the risk management option 'Transfer' involve?

Passing the risk to another party, such as through insurance or outsourcing. (B)

Even after implementing risk management strategies, what type of risk typically remains?

Residual risk (B)

Which of the following is a primary concern when businesses measure risk in monetary value?

The difficulty in accurately valuing assets like data and customer confidence. (D)

Which of the following are examples of typical corporate IT assets that should be considered in Risk Management?

Desktops, laptops, mobile devices, and application servers. (B)

An organization experiences a significant business disruption due to IT failures. Which area of business liabilities does this fall under?

Lapses in availability (A)

Which type of organization needs risk management?

All of the above. (D)

What is a potential impact of implementing risk management?

Reduction in information risk exposure, major incidents, and cost savings. (D)

Who are the key stakeholders that must work together in risk management?

Management, users, information technology, and security experts. (D)

What is the primary objective of risk assessment in risk management processes?

Calculating the potential damage and/or cost from a threat. (D)

What should organizations consider when evaluating the effectiveness of risk mitigation?

The potential for new or different threats and vulnerabilities. (B)

What is the purpose of asset valuation during risk identification?

To assess and rank the value of organizational assets. (A)

Which of these questions can help you with asset valuation?

Will this asset generate the most revenue or will it be the most expensive to protect? (D)

If an organization determines that the cost of protecting an asset exceeds its value, what strategy is most likely?

Accept the risk and allocate resources elsewhere. (D)

What is the primary goal when creating a weighting for each category in information asset prioritization?

To weigh the categories, based on the answers to questions. (A)

What is the system-centric approach to threat modeling?

Focusing on the model of system to find the types of attacks possible. (D)

In the context of threat modeling, what best describes the 'attacker-centric' approach?

Evaluating an attackers goals using an attack tree. (D)

In Incident/Threat identification, what type of incidents are usually set aside?

Unimportant incidents. (A)

Which of the following questions is most relevant when identifying the potential impact of incidents and threats?

Which incidents/threats represent the most danger to information and assets? (C)

Which of the following is considered a 'Force of nature' threat?

Fire (D)

What is the definition of 'Vulnerability' in the context of Vulnerability Identification?

A specific avenue threat agents can exploit to attack an information asset. (B)

Which of the following is an incident/threat for identifying risks?

Web server hacked. (B)

What is the primary difference between qualitative and quantitative risk analysis?

Qualitative analysis uses descriptive scales, while quantitative analysis uses numerical values. (A)

Which statement describes 'Semi-quantitative' risk analysis?

Qualitative scales are assigned numerical values. (B)

What do terms like 'Minor', 'Moderate', and 'Major' commonly represent in Qualitative risk estimation?

Impact Level (C)

Which formula is used to calculate Single Loss Expectancy (SLE) in quantitative risk analysis?

SLE = AV x EF (B)

Which of these is the correct way to calculate Annualised Loss Expectancy (ALE)?

ALE = SLE x ARO (D)

In risk management, what is the purpose of a 'risk-rating factor' in a worksheet?

To assess and rank the severity or importance of identified risks. (A)

After completing a ranked vulnerability risk worksheet, what is the next step in controlling risk?

Choosing a strategy to control each risk. (D)

What does treating risks economically involve?

Balancing the cost of treatment against the benefits derived. (C)

A company is performing a cost-benefit analysis (CBA) before implementing a new security control. Which factor should be included?

The cost of maintenance and service. (D)

What does the term 'ALE(prior)' represent in the CBA formula?

Annual Loss Expectancy of risk before control. (D)

What is the purpose of evaluating, assessing, and maintaining risk controls on an ongoing basis?

To ensure controls remain effective and aligned with the organization's function. (C)

Flashcards

What is Risk?

Quantitative measure of potential damage caused by a threat exploiting a vulnerability.

What is Risk Appetite?

A measure of how much risk an organization is willing to accept.

What is Risk Management?

Identifying risks, assessing their impact, and reducing their frequency.

Why do we need Risk Assessment?

Protection of life, governance, and legislative and compliance requirements.

What is the RA process?

Identify threats, examine assets' vulnerabilities, analyze risks, and consider countermeasures.

Accept Risk

Do nothing.

Avoid Risk

Develop an alternative plan.

Reduce Risk

Implement countermeasures (e.g., CCTV).

Contain Risk

Minimize the impact (e.g., backup servers).

Transfer Risk

Give it to someone else (outsource, insure).

Who needs Risk Management?

IT assets, data, proprietary information, customer data requiring legal adherence.

Roles in Risk Management

Users, experts identify threats, likelihoods, and management approves.

Risk Management Processes

Identify, assess, plan mitigation, implement, and evaluate for effectiveness.

What is Risk Identification?

Identifying threats, vulnerabilities or events to IT assets.

What is Risk Assessment?

Calculate potential damage/cost caused by a threat or vulnerability.

Risk mitigation planning

Controlling and mitigating IT risks through cost-benefit analysis

Risk mitigation implementation

Deploying and placing equipment/solutions into service.

Evaluation of Mitigation

Monitor for effectiveness against threats and determine if results are good.

Asset Identification

Begins with identifying assets, people, procedures, data, software, hardware, etc.

Asset Valuation?

The cost of assets to replace or protect.

Asset Prioritization?

Weighting and Factor Analysis

What is an Asset-Centric threat model

Start with CIA and see how it can happen

What to include in the threat model?

Realistic, important, relevant incidents/threats

Vulnerability Identification

Avenues threat agents can exploit to attack information assets.

Qualitative Risk Analysis

Descriptive scales (minor, major) for impact, likelihood (rare, certain).

Semi-Quantitative Risk Analysis

Assign numerical values to qualitative scales for prioritization.

Quantitative Risk Analysis?

Involves numerical values for consequence and probability

Deciding when to address a risk

Risk is viable and important.

Documenting results of Risk Assessment

Risk rating factors (asset, impact, vulnerability, likelihood).

Risk Control Strategies

Reduce/mitigate, transfer, retain, or avoid risk.

Treat Risk Economically

Proportionality principle.

What are Feasibility Studies?

Determine advantage of a specific control.

Cost Benefit Analysis (CBA)

Analyse worth of assets to be protected and the loss in value if compromised.

CBA formula

ALE(prior) – ALE(post) – ACS

Risk Control Evaluation

Effectiveness and calculate the residual risk

Study Notes

Risk in Business Continuity Management

• Risk is a quantitative measure of potential damage from threats, vulnerabilities, or events affecting an organization's IT assets
• Risk exposure leads to potential losses
• Risk is a measure of the average loss expected from that exposure
• High risk warrants rapid deployment of specific information security controls

Assessing Risk

• Risk assessment considers three variables:
  • Strength of threat agent (incentive and capability)
  • Presence and severity of vulnerabilities
  • Potential impact on the business
• Likelihood of threat occurrence combines the strength of the threat agent and presence of vulnerabilities
• Overall risk approaches zero if any variable approaches zero
• Risk is the combination of threat likelihood and its impact (consequence)

Understanding Risk

• Risk is an ever-present factor that must be recognized, identified and understood
• Impact is covered in Business Impact Analysis (BIA)
• Risk Assessment (RA) and BIA are often intertwined

Definitions

• Risk management identifies risks, their impact, frequency and risk reduction measures
• Risk appetite represents the acceptable level of risk, affecting cash value, share price, and profit
• Hazards, threats, and risks are commonly used interchangeably
• An asset is something of value
• A hazard or threat is a theoretical exposure to danger
• Risk is a hazard or threat with assessed probability of occurring to a particular asset

Risk Assessment Justification

• Risk assessment is necessary for:
  • Protecting life, health, and safety
  • Fulfilling duty of care and corporate governance
  • Meeting legislative and compliance requirements
  • Ensuring public accountability
• The objective of risk assessment is to reduce risk as much as practically possible

Risk Assessment Process

• Identify threats at a conceptual level such as fire, flood, and power loss
• Examine the vulnerability of assets to identified threats
• Analyze the risk and develop countermeasures, considering vulnerability
• Cost justification measures are implemented after BIA completion, balancing cost vs. potential loss

Options for Risk Management

• Accept the risk by doing nothing
• Avoid the risk by developing an alternative plan
• Reduce the risk by implementing countermeasures like CCTV to deter thieves
• Contain the risk by minimizing impact using multiple backup servers
• Transfer the risk via outsourcing or insurance
• Residual risk will always remain
• An acceptable level of risk and possible losses must be defined

Threat Examples

• Examples of natural disasters include fire, flood, and earthquakes
• Health and human resource issues involve industrial actions and loss of key staff
• Operational and man-made disasters include equipment failure
• Technology and infrastructure failure involves software, hardware, and network issues
• Supply failures may be service level related
• Business and compliance failures include legal breaches
• External threats can be recession or terrorist activity
• Financial threats may include cashflow problems
• Fraud is a possible threat

Challenges of Measuring Risks

• Measuring risks in monetary value can be difficult
• Asset valuation including data, in-house software (no market value), goodwill, and customer confidence, is challenging
• Likelihood of future threats is hard to predict because:
  • The relevance of past data is questionable
  • Future attacks are unpredictable
  • Actions of future attackers are hard to determine
• Measuring the benefit from security measures is difficult when assessing the effect on probability of attack

Corporate IT Assets

• Corporate IT assets encompass:
  • Desktops, PCs, laptops
  • Mobile devices, wireless networks
  • Application, mail, and web servers
  • Databases, corporate data
  • Network elements
  • PBXs, IP-PBXs, VRUs, ACDs, voicemail systems
  • Mobility support systems
  • Power sources
  • Remote/branch location systems
  • Key business processes

Loss Areas

• Primary business and financial liabilities result from lapses in:
  • Confidentiality: protection of sensitive information
  • Integrity: information, assets, and IT controls
  • Availability: IT services
• Top business liabilities include:
  • Loss/theft of customer data
  • Business disruptions from IT failures
  • Loss of integrity for critical IT assets and information

Risk Management Needs

• Any organization is suitable for Risk Management if they:
  • Has IT assets/data/proprietary information
  • Keeps customer information
  • Requires formal documentation
  • Adheres to legal/fiduciary requirements

Impact of Risk Management

• Risk management is vital, despite being not well understood
• Businesses on average:
  • Incur incidents daily
  • Have 58% chance of major incident yearly
• Implementing risk management can:
  • Reduce information risk exposure
  • Decrease major incident chances
  • Save funds by reducing risk
• Controls decrease minor incidents, with fewer resulting inefficiencies

Roles in Risk Management

• Management, users, and IT must collaborate. Roles include:
  • Asset owners developing inventory lists
  • Users/experts identifying threats/vulnerabilities and likelihoods
  • Risk management experts guiding risk assessment
  • Security experts selecting controls
  • Management reviewing risk management and approving controls

Risk Management Processes

• Risk Identification consists of identifying threats, vulnerabilities, and events to IT assets
• Risk Assessment considers calculating potential damage/cost
• Risk Mitigation Planning involves controlling and mitigating IT risks through cost-benefit analysis
• Risk Mitigation Implementation consists of deploying identified solutions
• Evaluation of Mitigation's Effectiveness is monitoring the environment, and determining if new modifications result in different threats/vulnerabilities

Risk Identification Details

• Risk identification involves identifying threats, vulnerabilities, or events to IT assets
• Risk identification begins with identifying organization's assets and assessing their value
• Assets are targets of threat agents
• Risk management identifies organization's assets and incidents exploited by threat agents

Asset Identification, Valuation, and Prioritization

• Asset identification, valuation, and prioritization is an iterative process
• Begins with identifying all elements of system
• Assets include people, procedures, data, software, hardware, and networks
• Assets classified and categorized

Asset Valuation Questions

• To determine which information asset to protect:
  • What is most critical to organization's success?
  • What generates most revenue/profitability?
  • What is most expensive to replace or protect?
  • What would be most embarrassing or cause greatest liability if revealed?

Asset Prioritization

• Create weighting for each category
• Calculate each asset by weighted factor analysis
• List assets in order of importance

Data Classification and Management

• Various classification schemes are used by corporate and military organizations
• Information owners classify assets
• Conduct periodic reviews of classifications
• Most organizations don't need detailed classifications used by the military
• Classify data to provide protection

Threat Modeling Approaches

• Attacker-centric: starts from attackers, their goals and evaluating how they might achieve them.
• System-centric: starts from system model to follow logic with the intent to discover attacks against various model elements.
• Asset-centric: starts from assets trusting a system with identifying security breaches of CIA properties

Incident/Threat Identification Questions

• Is the incident realistic?
• Should other incidents be set aside?
• Questions for identification
  • Which incidents/threats can affect assets?
  • What represents the most danger?
  • How much to recover from attack? -Which incidents/ threat are most expensive to prevent?

Vulnerability Identification

• Vulnerabilities are avenues threat agents exploit to attack an information asset
• Examine organizations assets and vulnerabilities
  • Assess how each incident or threat could be perpetrated
• Utilize personnel for diverse perspectives to work in iterations
• Achieve a final list of assets and their vulnerabilities

Risk Estimation Types

• Qualitative: descriptive scales (ex: minor, moderate and catastrophic)
• Semi-quantitative: assigns numerical values to qualitative scales
• Quantitative: numerical values for consequence and likelihood

Risk Handling Decisions

• Risk is only unacceptable if the following apply to a viable threat
  • the system is designed to be vulnerable
  • the system is exploitable
  • the vulnerability exists
  • the attacker has more to gain than the cost of the system

Ranked Vulnerability Risk Worksheet Contents

• Worksheet details:
  • Asset
  • Asset impact
  • Vulnerability
  • Vulnerability likelihood
  • Risk-rating factor

Risk Control Strategies

 1. Reduce/mitigate risk
 2. Transfer risk
 3. Retain risk
 4. Avoid risk

Risk Treatment Based On

- the extent of risk reduction
- any additional benefits obtained

High risk levels may be acceptable if beneficial opportunities arise as a result of taking the risk Balance cost of implementing treatment option and benefits derived (proportionality principle) Large risk reductions for low expenditure should be implemented