Podcast
Questions and Answers
What is the risk level description that requires detailed research and management planning at an executive/director level?
What is the risk level description that requires detailed research and management planning at an executive/director level?
According to the risk matrix, what is the consequence of an 'Almost Certain' risk with a 'Major' impact?
According to the risk matrix, what is the consequence of an 'Almost Certain' risk with a 'Major' impact?
What is the likelihood of a risk that is described as 'Unlikely' in the risk matrix?
What is the likelihood of a risk that is described as 'Unlikely' in the risk matrix?
Which of the following risks would have a 'Catastrophic' consequence?
Which of the following risks would have a 'Catastrophic' consequence?
Signup and view all the answers
What is the purpose of a risk matrix in risk assessment?
What is the purpose of a risk matrix in risk assessment?
Signup and view all the answers
What is the potential outcome of a threat exploiting vulnerabilities in a system?
What is the potential outcome of a threat exploiting vulnerabilities in a system?
Signup and view all the answers
What is the primary goal of a detailed security risk assessment?
What is the primary goal of a detailed security risk assessment?
Signup and view all the answers
What is the relationship between a threat and an asset in a risk assessment?
What is the relationship between a threat and an asset in a risk assessment?
Signup and view all the answers
What is the term for the likelihood that a threat will occur and cause harm to a system?
What is the term for the likelihood that a threat will occur and cause harm to a system?
Signup and view all the answers
What is the process of evaluating the potential impact of a threat on a system?
What is the process of evaluating the potential impact of a threat on a system?
Signup and view all the answers
What is the primary goal of identifying vulnerabilities in an organization's IT systems or processes?
What is the primary goal of identifying vulnerabilities in an organization's IT systems or processes?
Signup and view all the answers
What is the formula used to derive the overall risk rating for each threat?
What is the formula used to derive the overall risk rating for each threat?
Signup and view all the answers
What type of ratings are used to determine the likelihood of occurrence of identified threats?
What type of ratings are used to determine the likelihood of occurrence of identified threats?
Signup and view all the answers
What is the purpose of considering previous attacks to the organization?
What is the purpose of considering previous attacks to the organization?
Signup and view all the answers
What is the definition of a vulnerability in the context of IT systems?
What is the definition of a vulnerability in the context of IT systems?
Signup and view all the answers
What is the rating of a threat that might occur at some time, but is just as likely as not?
What is the rating of a threat that might occur at some time, but is just as likely as not?
Signup and view all the answers
What is the purpose of specifying the consequence to the organization?
What is the purpose of specifying the consequence to the organization?
Signup and view all the answers
What is the purpose of analyzing risks?
What is the purpose of analyzing risks?
Signup and view all the answers
Study Notes
Threats and Assets
- Threats prevent assets from achieving confidentiality, integrity, availability, accountability, authenticity, and reliability.
- Assets may have multiple threats.
Threat Sources
- Threats can be either natural (fire, flood, storm, earthquake) or human-made (accidental or intentional).
- Human-made threats can come from insiders (e.g., selling information for personal gain) or outsiders (e.g., hackers).
Human Attackers
- Consider motivations, capabilities, resources, and probability of attack when evaluating human attackers.
- Analyze previous attacks to the organization.
Vulnerability Identification
- A vulnerability is a weakness in an asset that can be exploited by a threat.
- Identify weaknesses in the organization's IT systems or processes to determine the applicability and significance of threats.
- Use standard lists of potential vulnerabilities to identify weaknesses.
Risk Analysis
- Specify the likelihood of occurrence of identified threats.
- Specify the consequence to the organization if the threat occurs.
- Derive an overall risk rating for each threat using a qualitative rating system.
- Use a risk rating formula: risk = probability threat occurs x cost to organization.
Likelihood Determination
- Use a 4-point scale to rate likelihood: Rare (1), Unlikely (2), Possible (3), Almost Certain (4).
- Define each level: Rare (exceptional circumstances), Unlikely (could occur, but not expected), Possible (might occur, but just as likely as not), Almost Certain (very likely).
Determining Resultant Risk
- Use a 5-point scale to rate consequences: Insignificant, Minor, Moderate, Major, Doomsday/Catastrophic.
- Combine likelihood and consequence ratings to determine the resultant risk level.
- Use a risk level matrix to determine the overall risk level: Extreme (E), High (H), Medium (M), Low (L).
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about the different types of threats that can compromise asset security, including natural and human-made threats, and how they affect confidentiality, integrity, and availability.