Security Risk Assessment Process

Questions and Answers

In risk assessment, what is the primary role of those responsible for decision-making?

• To delegate risk assessment tasks to external consultants without internal oversight.
• To focus solely on quantitative data for assessing risk.
• To systematically make choices based on reason and available information. (correct)
• To eliminate all potential risks to the organization.

Why is it important for a risk assessment to consider an organization's vision, mission, values, and culture?

• To ensure compliance with legal regulations exclusively.
• To prioritize short-term financial gains over long-term strategic goals.
• To limit the scope of the risk assessment to internal factors only.
• To align risk management with the organization's strategic and tactical objectives. (correct)

What foundational information does a risk assessment provide?

• A detailed plan for daily operational tasks.
• Prioritization of risks relative to organizational objectives. (correct)
• A guarantee against future losses.
• The elimination of all organizational uncertainties.

When might a qualitative risk analysis be more appropriate than a quantitative one?

When data is unavailable or when an empirical method of analysis for decision making is appropriate. (D)

What is a key consideration when using quantitative analysis in risk assessment?

Overemphasizing numerical results compared to qualitative factors, especially human behavior. (C)

What is the primary benefit of using the Plan-Do-Check-Act (PDCA) model in risk assessment?

It provides a framework for continuous improvement in both the overall program and individual risk assessments. (A)

Why is it important to define what constitutes an 'asset' at the outset of a risk assessment?

To ensure agreement between the assessor and asset owner on what is being protected. (A)

When evaluating threats, what is the key difference between 'intentional threats' and 'inadvertent threats'?

Intentional threats involve deliberate actions by adversaries, while inadvertent threats include accidents and errors. (A)

In the context of vulnerability assessment, what does 'observability' refer to?

The ability of an adversary to identify a vulnerability. (C)

What is the main goal of the risk mitigation process?

To prioritize and address risks that have the potential to cause significant mission impact or harm. (B)

Flashcards

What is Risk Assessment?

The identification, analysis, and evaluation of uncertainties to objectives and outcomes.

Qualitative Analysis

Uses reasoning and judgment to describe risk with terms, words, and images.

Quantitative Analysis

Relies on probabilities and statistics, using calculations to interpret numbers and data.

What is an Asset?

A resource of value that can be tangible or intangible.

What is a Vulnerability?

Weakness that can be exploited by an adversary or make an asset susceptible to damage

Inadvertent Threats

Accidents, errors, and omissions that pose a risk.

Intentional Threats

Evaluation is based on identifying and studying potential adversaries and their intention.

Natural Threats

Threats typically evaluated using historical trends and statistics.

Risk Analysis

Combine asset information, threat data, and vulnerabilities to prioritize risks.

Risk Mitigation

Employ technologies, architectural features, policies, and procedures to reduce risk.

Study Notes

• This task is about developing, managing, or conducting the security risk assessment process.

General Concepts

• A risk assessment provides the analytical foundation for risk management.
• Decision-makers use a logical, structured, and consistent approach to assess risk.
• Those responsible for risk assessments should follow a structured approach to review and analyze facts, observations, and possible outcomes in order to achieve the organization's strategic and risk management objectives.
• The risk management process supports enterprise-wide strategic and operational activities, as well as program- and project-related activities.
• A comprehensive risk assessment considers the organization's vision, mission, values, culture, strategic, and tactical objectives.

Definition of Risk Assessment

• Risk assessment is identifying, analyzing, and evaluating uncertainties to objectives and outcomes.
• It compares desired and undesired outcomes with expected rewards and losses of organizational objectives.
• The risk assessment provides foundational information to:
  • calculate the effects of uncertainty
  • protect an organization’s tangible and intangible assets
  • safeguard the integrity of its supply chain, services, and activities
  • understand the relative exposure to risk

Quantitative and Qualitative Analysis

• Risk assessments depend on the type of risk, purpose of the analysis, resource limitations, information available to the assessor, and availability of metrics.
• Risk assessments can use a quantitative computational approach, qualitative subjective approach, or a combination of both.
• Qualitative analysis relies on the judgment of assessment team members and subject matter experts using terms, words, and images.
• Quantitative analysis relies on probabilities and statistics using mathematical formulas and calculations to interpret numbers, data, and estimates.
• Combined approaches use a combination of subjective and numerical values.
• Qualitative analysis can precede quantitative analysis to indicate risk levels and identify principal risk factors and existing controls.

Qualitative Analysis Details

• Qualitative analysis uses descriptive terms like "minor," "moderate," "major," or "critical".
• These terms must be clearly defined to avoid misunderstandings.
• Qualitative analyses are used when numerical data is inadequate, uncertain, or unavailable.
• A qualitative risk assessment may be advantageous when:
  • Management and governance better understand a descriptive risk presentation.
  • Communication with internal and external stakeholders is improved by visualizing risk information.
  • Underlying or historical data is unavailable or uncertain.
  • Resource limitations render quantitative data gathering impractical.
  • A risk is not well-defined or understood.
  • Quantification would be overly complex and based on potentially erroneous assumptions.
  • Multiple risks drive business objectives.
  • Addressing strategic risks are harder to quantify than operational or financial risks.

Quantitative Analysis Details

• Quantitative analysis uses numeric comparisons to describe potential likelihoods and consequences
• The goal is to calculate objective numeric values for risk assessment components.
• A cost-benefit analysis can be included.
• Risk assessors should recognize that numerical results of a quantitative analysis should not be overemphasized in comparison with a qualitative analysis, especially when human behavior is one of the risk factors.
• A quantitative risk assessment may have advantages when:
  • The risk lends itself to quantification in numerical terms.
  • Numerical precision and presentation are required for a particular decision.
  • Quantitative metrics are used to measure performance and success.
  • Sufficient and appropriate data is available or can be readily obtained.
  • Risk can be better communicated and understood through quantitative comparisons.
  • There is general agreement on underlying assumptions.

Managing Organizational and Specific Risk Assessments

• Organizational risk assessments encompass the organizational structure, resources, commitment, and documented methods used to plan and execute risk assessments.
• The organization should commit to allocating the necessary resources, people, and time to effectively administer the program and its objectives.
• Assess risks significant to the mission; risk assessment is a team effort, not a desktop exercise.
• The Plan-Do-Check-Act (PDCA) model can be used for both the overall program and individual assessments.
• A process approach compiles interrelated activities.
• The ASIS International Risk Assessment standard outlines a framework for risk assessments.

Assets

• Asset identification is critical to estimating risk at a site, facility, or other environment.
• Determine the most critical on-site assets.
• An asset is a resource of value to a business, organization, or individual; it can be tangible or intangible and more or less critical.
• Impact of loss is described as criticality.
• Asset value can be the economic replacement cost for infrastructure and equipment, while also considering downtime or production loss.
• Factors in determining asset value:
  • immediate response and recovery costs
  • investigation costs
  • replacement costs
  • intangible assets
  • indirect costs such as lost revenue or income, temporary leased facilities, equipment rental or purchase, alternative suppliers and vendors, alternative shippers and logistics support, temporary warehousing facilities, special employee benefits, counseling and employee assistance, loss of market share, decreased employee productivity, increased insurance premiums, temporary workforce, recruiting and staffing costs, increased security costs, increased communications capabilities, data recovery, administrative support, increased travel, marketing and public relations efforts, and emergency and continuity plan revamps.
• Intangible assets must be considered.

Evaluating Threats

• Threats are divided into three categories:
  • Intentional threats: based on identifying and studying potential adversaries (employees, terrorist organizations, organized crime groups, etc.).
  • Natural threats: evaluated using historical trends and statistics.
  • Inadvertent threats: include accidents, errors, and omissions.
• Best defenses against inadvertent threats are preparation, education, and awareness.

Vulnerabilities

• A vulnerability is a weakness or business practice that can be exploited or makes an asset susceptible to damage from natural or inadvertent threats.
• Vulnerabilities are measured in terms of observability and exploitability.
  • Observability is the ability of an adversary to see and identify a vulnerability.
  • Exploitability is the ability of the adversary to take advantage of the vulnerability once aware of it.
• In assessing natural threats, observability refers to security personnel's ability to observe or track a threat.
• Exploitability is the natural threat's ability to damage the facility, mission, or organization.
• For inadvertent threats, vulnerabilities are examined via two questions:
  • Are security personnel aware of the vulnerabilities?
  • Is there opportunity for a loss event based on the nature of the mission, operation, or facility?

Risk Analysis

• Assessor combines information on assets, threats, and vulnerabilities.
• Considers potential impact and prioritizes based on consequences of a loss event.
• Quantitative assessments should involve a multidisciplinary team.
• Formula: Risk = (Threat x Vulnerability x Impact)^(1/3)
• Evaluation factors are rated on a 0 to 100 scale.
• Risk analysis results should be presented to the decision-maker in a way they understand.
• Prioritize identified risks.

Risk Mitigation

• Goals, mission, and culture of an organization should be considered.
• Prioritize risks with the potential to cause significant mission impact or harm.
• Use appropriate technologies, structural features, the human element, and strong policies/procedures.
• Consider transferring financial risk through insurance or accepting the risk as a cost of doing business.
• Evaluate each option in terms of availability, affordability, and feasibility.
• When selecting countermeasures, consider:
  • effectiveness of individual countermeasures and the entire security system
  • levels of countermeasure effectiveness needed for different threats
  • increasing effectiveness or additional risk management as threats become more sophisticated
  • reevaluating and potentially modifying or removing countermeasures as threats decrease or end

Leveraging Outside Expertise

• Vendors or consultants bring a fresh view and expertise.
• There must be a clear agreement on the purpose and scope of the project.
• Consultants should begin at the inception of the project.
• Using an outside resource may strengthen a company's position during an audit.