Unmarried Loss Expectancy

Risk-Based Arroyo to Security

Eric Cole , in Advanced Persistent Threat, 2013

Calculating Hazard

In calculating risk, there are two full general formulas that are used: SLE (single loss expectancy) and ALE (annualized loss expectancy). SLE is the starting point to decide the single loss that would occur if a specific item occurred. The formula for the SLE is:

SLE = asset value × exposure factor .

While the SLE is a valuable starting point it simply represents the unmarried loss an organization would endure. Since many organizations endure the same loss multiple times a yr, yous have to take the ARO (annualized rate of occurrence) and include it in the formula. This is done past calculating the ALE:

ALE = SLE × annualized rate of occurrence ( ARO ) .

The ALE is what you always use to determine the cost of the adventure and the TCO (total toll of ownership) is what is used to calculate the price of a solution.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597499491000048

Performing the Business Adventure Assessment

Laura P. Taylor , in FISMA Compliance Handbook, 2013

Quantitative hazard assessment

One time you accept determined which threats create the greatest risk exposure to the business, y'all can then use quantitative take a chance assessment methods to determine how much the agency should spend to mitigate the potential threat. Quantitative risk assessment assembly loss with a financial value. The goal of agreement financial loss is to give yous more data in making decisions about the procurement and implementation of safeguards. Quantitative adventure assessment is essential if you want to perform cost-benefit analysis to figure out if implementing a item safeguard is financially worth the cost. If the anticipated almanac loss (also referred to as almanac loss expectancy) is less than the annualized cost of the safeguard, then it is normally not worth it to implement the safeguard. For example, if a information center is in a city that is decumbent to electrical grid outages, so information technology might make sense to invest in more generators simply if the almanac loss is greater than the annualized cost of new generators (the safeguard).

(The loss acquired by the electrical grid, could hateful loss of data, loss of customers, or some other loss.)

Let'due south await at a more detailed instance related to natural disasters to figure out financial loss based on quantitative risk assessment methods. If you wait at Effigy 17.iv, you will see that in Florida alone at that place are different probabilities throughout the state for hurricanes with wind speeds greater than 100 knots. To calculate the risk of a hurricane occurring in Miami, Florida, you need to understand the likelihood of one occurring each yr. If a hurricane occurs once every 20 years (1 of 20), and so it has a 5% risk of occurring yearly since 1/twenty   =   0.05, which equals 5%.

Figure 17.4. Probabilities of hurricanes in Florida localities.

 Source: USGS.

The frequency of Florida hurricanes with air current speeds greater than or equal to 100 knots is mapped in terms of the probability of occurrence during a 20-year exposure window. These probabilistic estimates, based on 1006 years of observations, illustrate that hurricanes with 100-knot winds occur more than frequently in southern Florida and gradually decrease in frequency toward northern Florida [2].

The threat frequency (or likelihood) for natural disasters can be calculated by using an Annualized Rate of Occurrence (ARO). An ARO is a constant number that tells you how frequently a threat might occur each year. AROs can be broken downwards into subvalues known as Standard Almanac Frequency Estimates (Safety) and Local Annual Frequency Estimates (LAFE). The Rubber value is the number of times a specific threat is expected to occur annually in a large geographic region such as North America. The LAFE value is the number of times a specific threat tin can be expected to occur annually in a smaller, local geographic region such as Miami, Florida. For the purpose of FISMA compliance, it is more advisable to use LAFE values. (If we were going to appraise all the systems in North America in one Security Package, we might use Prophylactic values for that. Such a Security Package of course would exist a Sisyphean exercise.)

ARO values (SAFE and LAFE) typically are represented equally rational numbers or every bit a decimal value as shown in Table 17.5. (A rational number is a number that can exist expressed equivalently equally a fraction.)

Tabular array 17.v. Threat Values for Annualized Rates of Occurrence

ARO (LAFE) Values
Expressed as a Percent Expressed as a Decimal Expressed every bit a Fraction Frequency of Occurrence
one 0.01 1/100 Once every 100 years
2 0.02 1/50 Once every 50 years
v 0.05 1/xx Once every 20 years
10 0.ten 1/x Once every 10 years
20 0.two ane/5 Once every 5 years
100 one 1/i Once a year
1000 x 10/1 10 times a year
10,000 xx 20/1 xx times a year

The reduction in the value of an information system from one threat (or incident) is referred to as a Single Loss Expectancy (SLE). If i of the servers in your hardware and software inventory is valued at $100,000, and a hurricane destroys 90% of it, the value of the system has been reduced past $xc,000, which is represented by the SLE equation:

SLE = Original Total Price Remaining Value

SLE $ 90 , 000 = $ 100 , 000 $ ten , 000

It is possible that instead of a hurricane, a hacker might destroy 90% of the server and the same SLE formula would apply. In one case you know the SLE, you lot can determine an Annual Loss Expectancy (ALE). ALE is a risk exposure standard that is computed by multiplying the probability of a loss from a threat (or incident) by the reduction in value of the data system [1].

ALE is a metric that was developed by the National Bureau of Standards in 1979. In the mid-1980s, the National Bureau of Standards became part of the National Institute of Standards and Engineering.

ALE values are useful to perform cost-benefit assay so that you can figure out if spending money on a particular safeguard is worth it or not. ALE values tin be determined for whatsoever type of threat whether it is a threat launched by an antagonist, or a natural disaster. To make up one's mind the ALE for this same $100,000 system, employ the formula:

ALE = LAFE × SLE

R East = P L × S L

The LAFE value is the probability of potential loss, or P(Fifty). The SLE, or the loss from a quondam occurrence of the incident, is the severity of the loss, South(Fifty).

If the system is located in Miami, Florida, and hurricanes accept a 5% chance of occurring yearly:

ALE = $ 0.05 × $ xc , 000 = 4,500

Every year, the one-data system located in Miami, Florida, is being exposed to an annual loss expectancy of 4,500 from hurricanes alone. If there are 1000 systems at this facility in Miami, all with the same ALE, that would come up to a whopping cumulative ALE of $iv,500,000. Fifty-fifty if moving the facility to a different location costs $1,000,000, in this case it would exist worth it since the safeguard (eastward.g., the move) would be far less expensive than the Annual Loss Expectancy.

An additional resource that explains quantitative risk assessment is an commodity titled "Security Scanning is non Hazard Analysis" in the Intranet Journal (http://world wide web.web.annal.org/spider web/20030207102906/http://world wide web.intranetjournal.com/articles/200207/se_07_14_02a.html).

Read full chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/commodity/pii/B9780124058712000178

Layer 8: The People Layer

In Hack the Stack, 2006

Quantitative Cess

Imagine all the scenarios in which your assets are threatened, and make up one's mind what portion of those asset would be lost if each threat became a reality. The percentage of the nugget value that would be lost is the exposure factor (EF). The dollar (or other currency) corporeality that would be lost if the threat was realized is the single loss expectancy (SLE), and is computed using the following formula:

SLE = asset value 10 exposure factor

If only half of a $1,000,000 asset is lost in an incident, and so the exposure factor is l percent and the SLE is $500,000. It is possible for a loss to exceed the asset'due south value to the corporation, such as in the result of a massive product liability lawsuit; in this case, the EF would be greater than 100 percent.

Of course, some threats are more likely to materialize than others. The term for the frequency of threats each twelvemonth is the annualized rate of occurrence (ARO). If nosotros wait a threat to occur three times per year on boilerplate, then the ARO equals 3. If another threat is expected to occur only once in ten years, the average would be ane tenth of an occurrence each year, giving an ARO of 0.1 for that threat. An of import factor in the ARO is how vulnerable yous are to a detail threat. For our information systems, we can refer to vulnerability databases published on the Web, which tell us what known vulnerabilities be for a particular version of a detail product. Withal, vulnerabilities in data systems don't only come up from programming errors. Improper installation and configuration of a product tin can also make information technology vulnerable. A vulnerability scanner program can automate much of the work of identifying vulnerabilities in these systems.

At present we can combine the monetary loss of a unmarried incident (SLE) with the likelihood of an incident (ARO) to get the annualized loss expectancy (ALE). The ALE represents the yearly average loss over many years for a given threat to a particular nugget, and is computed as follows:

ALE = SLE x ARO

Some risk cess professionals add together another factor: uncertainty. If we have good historical data to support our quantification of nugget value, exposure factor, and annualized charge per unit of occurrence, then we are very certain of the take chances. If we used a dart lath to assign any of these component values, then we have considerable dubiousness of the risk. We can revise our last formula to account for this:

ALE = SLE x ARO 10 incertitude

where dubiousness ranges from i for completely certain, to numbers greater than ane for more uncertainty (e.g., an dubiety of 1.five means that the ALE might be 50 percent more than the gauge of SLE   ×   ARO; an doubt of 2.25 means that the ALE might be more than double our estimate).Table 9.two shows quantitative chance assessment calculations.

Table 9.2. Quantitative Gamble Cess Calculations

Asset Proper noun Nugget Value Exposure Gene SLE ARO Dubiety ALE
Building $6,000,000 50 % $three,000,000 .07 ane $210,000
Client
Database		 $1,000,000 100 % $1,000,000 .667 3 $two,000,000
Software $800,000 75 % $600,000 .667 i.v $600,000

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597491099500137

Domain 1

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP® (Third Edition), 2017

Answers

1.

Right respond and explanation: C. The ARO is the number of attacks in a twelvemonth.

Incorrect answers and explanations: Answers A, B, and D are incorrect. The AV is $20,000. The EV is twoscore% and the monthly cost of the DoS service (used to calculate TCO) is $10,000.

two.

Correct respond and caption: D. The ALE is derived by first calculating the SLE, which is the AV, $twenty,000, multiplied by the EF, 40%. The SLE is $8000, which is multiplied past the ARO of 7 for an ALE of $56,000.

Incorrect answers and explanations: Answers A, B, and C are incorrect. $twenty,000 is the AV, while $8000 is the SLE.

3.

Right reply and caption: C. The TCO of the DoS mitigation service is higher than ALE of lost sales due to DoS attacks. This ways it is less expensive to accept the risk of DoS attacks or to discover a less expensive mitigation strategy.

Incorrect answers and explanations: Answers A, B, and D are wrong. The annual TCO is higher, not lower. $10,000 is the monthly TCO; y'all must calculate yearly TCO to compare with the ALE.

4.

Correct reply and caption: A. The canons are practical in gild and "To protect society, the commonwealth, and the infrastructure" is the first canon, and is thus the most important of the iv canons of The (ISC)2® Code of Ideals.

Incorrect answers and explanations: Answers B, C, and D are incorrect. The canons of The (ISC)two® Lawmaking of Ethics are presented in order of importance. The 2nd canon requires the security professional to act honorably, honestly, justly, responsibly, and legally. The third mandates that professionals provide diligent and competent service to principals. The final and therefore least important canon wants professionals to advance and protect the profession.

5.

Right reply and caption: Files, database tables, and tax forms are example of objects, and then they should be dragged to the right (Fig. i.6).

Fig. i.6. Drag and drop respond.

Incorrect answers and explanations: A running process and a user are examples of subjects.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9780128112489000012

Domain iii: Information Security Governance and Risk Management

Eric Conrad , ... Joshua Feldman , in Eleventh Hour CISSP (2d Edition), 2014

Answers

1.

Correct reply and explanation: A. Respond A is correct; policy is high level and avoids technology specifics.

Incorrect answers and explanations: B, C, and D. Answers B, C, and D are incorrect. B is a procedural statement. C is a guideline. D is a baseline.

ii.

Right answer and explanation: C. Answer C is right; the Annual Rate of Occurrence is the number of attacks in a year.

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. $20,000 is the Nugget Value (AV). Forty percent is the Exposure Factor (EF). $10,000 is the monthly cost of the DoS service (used to calculate TCO).

iii.

Correct answer and explanation: D. Respond D is correct; Annualized Loss Expectancy (ALE) is calculated by start calculating the Single Loss Expectancy (SLE), which is the Asset Value (AV, $20,000) times the Exposure Factor (EF, xl%). The SLE is $8000; multiply by the Annual Rate of Occurrence (ARO, 7) for an ALE of $56,000.

Incorrect answers and explanations: A, B, and C. Answers A, B, and C are wrong. $20,000 is the Asset Value. $8000 is the Single Loss Expectancy.

4.

Correct answer and caption: C. Answer C is correct; the Full Cost of Ownership (TCO) of the DoS-mitigation service is higher than Annualized Loss Expectancy (ALE) of lost sales due to DoS attacks. This ways it's less expensive to accept the adventure of DoS attacks (or observe a less expensive mitigation strategy).

Wrong answers and explanations: A, B, and D. Answers A, B, and D are incorrect. A is incorrect: the TCO is higher, not lower. $10,000 is the monthly TCO; y'all must summate yearly TCO to compare with the ALE. D is incorrect: the almanac TCO is higher, not lower.

5.

Correct respond and caption: D. Answer D is correct; the data possessor ensures that data has proper security labels.

Incorrect answers and explanations: A, B, and C. Answers A, B, and C are wrong. Custodians patch systems. Users should exist aware and report suspicious activity. Ensuring files are backed up is a weaker answer for a data possessor duty, used to confuse the data owner with "the owner of the file" on a discretionary access control organisation.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780124171428000030

Jargon, Principles, and Concepts

Mark Osborne , in How to Cheat at Managing Information Security, 2006

Risk Analysis

The details we have covered to now have i main aim: to assistance us quantify and manage the adventure to our information. The quantifying approach is known as gamble analysis, and these days many of you will be very familiar with some semiformal techniques. These techniques appear in the system evolution methodologies, projection direction methodologies, heath and prophylactic processes, and insurance evaluations. If I had written this chapter five years ago, the examples and explanations would have needed to be far more detailed. Nevertheless, I am going to assume everybody needs a refresher.

Types of Risk Analysis

There are many types of risk assay. Common security risk analysis methods and tools include:

CRAMM

SARAH

IS1 and IS3

VISART

Delphi

Almost texts suggest that these methods autumn into one of 2 categories: either quantitative or qualitative. The former is based on math, the latter on expert experience. This is certainly the approach you accept to have if you lot want to pass your CISSP. All the same, the realism of the situation is that all practiced methods use a mix of both techniques, so they tend to vary along a continuum of more than qualitative versus more quantitative. I have read some articles that suggest a qualitative arroyo isn't objective—complete tripe! Qualitative methods have been successful for years, and executives have been analytical since companies began. Make your own mind up; if you want to read more, I take been commended to the International Club for the Scientific Study of Subjectivity (world wide web.qmethod.org).

Quantitative Assay

In theory, quantitative analysis always has a mathematical ground for your grading. Have, for case, an assessment that tries to constitute the risk of your main office (with a view to setting up alternative facilities).

Your methodology would work through a serial of threats. Sooner or afterwards it would come up to the threat of flooding:

1.

As a kickoff step in a quantitative analysis, you would access the environmental agencies' alluvion information for a per centum. If information technology is less than 0.01 percent, yous probably would not bother to analyze further.

2.

DoE will requite y'all a broad number. You lot might wish to contact your insurance visitor for a better number. On the final project I worked on, the number was ii pct take a chance of a flood in a year. You lot at present have a probability; this is known equally the annual rate of occurrence, or ARO.

3.

You utilize historic information from your insurer, edifice contractors, or the London fire brigade regarding how long it will take to clean upwardly and get back in business concern later on a disaster. In the instance, nosotros estimated a three-week period.

iv.

You contact your accounts department for the corporeality of revenue you would lose (at your busiest menstruation) if yous were unable to operate for this menses of time. This is chosen single-loss expectancy (SLE). In this instance, the SLE was $1 one thousand thousand.

5.

You lot annualize your loss due to flooding. The annual loss expectancy (ALE) is the product of the SLE multiplied by the ARO—in our instance, $lm * ane/100 = $100,000.

Qualitative Analysis

Qualitative assay is portrayed as being very emotional. It should be very interview based, and you would seek to talk to all major department heads. Yous would brief them and they would probably classify a senior member of their section to work with you. Yous would then run through, either in a series of workshops or on an individual basis, the probability of each threat and rate information technology as high, medium, or low. Table iii.one is a typical tabular array resulting from such an practise.

Table 3.1. Qualitative Analysis of Threats to a Business

Threat Likelihood
Loss of business due to flooding Loftier
Loss of business organization due to burn down MEDIUM
Loss of business concern due to bomb LOW

Hence the term qualitative, since the use of terms such as High, MEDIUM, and LOW are completely subjective and determined by factors outside the control of the researcher. Y'all would then inquire them to guess at a financial impact of such an event.

How It Really Works: Strengths and Weaknesses

No ane conducts these exercises in such a banal way. A good exercise will draw the best from both types of assay:

It is very important to go a ballpark figure from DoE to prove the local propensity to flooding. But yous as a security skillful need to use your expertise to modify this information. For example, your area might non be generally at risk of flooding, but if you built your business in a flop-proof bunker xx feet below ground at the foot of a hill, y'all equally an expert could decide that the take a chance is greater than for other standard buildings in the same locale. Especially if last Th, you ruined your best shoes in a pool the size of Loch Ness getting to your auto.

The length of the outage is specific to your trade. If you lot use custom-congenital machines that take a year to build, you lot can't supplant them in three weeks.

You need to consult both the accounts team and the individual departments to become a counterbalanced scorecard value to represent loss. It is unlikely that department managers will know the truthful bookkeeping revenue of a department at a given period. They will nearly always "big it up." It is besides true that the accounts department might non exist aware of interdepartmental dependencies. For instance, the IT department might non be a revenue center, merely how many businesses these days can survive without it? Relying on accounting and reporting revenue alone is a big mistake. It certainly will not account for the following of import aspects:

Customer churn In many businesses, the loss of a few customers' revenue is non as of import as keeping the customers.

3rd-party consequential loss Will you be liable for unlimited loss?

Loss of reputation How much do you spend on telling customers that you are sinkable—that coin is now wasted?

Legal or regulatory infraction

Merely doing the ALE = SLE * ARO calculation is essential. Gamble or touch on should always be expressed as a monetary value.

This type of analysis works very well for concrete disasters only can exist very hard to apply to other areas. This is because it requires full general statistics on external threats and their likelihood but then requires you to modify them for your ain local conditions. I have heard many complaints nearly this, especially relating to analysis of hacks and virus exposures.

I recommend you accept a wait at FIRST'southward (www.first.org) Common Vulnerability Scoring Organisation (CVSS). This organisation takes into business relationship global factors about a threat, such as how a vulnerability compromises an operating arrangement and how that vulnerability affects the archetype CIA principles; these are provided by a manufacturer or a CERT. It so allows each individual site to consider the placement of the potential vulnerable arrangement and the importance of that calculator to the organization. Information technology's a nice technique that combines technical and local factors.

In exercise, to practice this kind of chore correct for an enterprisewide threat will involve external statistical references and facts modified past local subjective threat modifiers. Take a look at Start'south CVSS. This takes global facts, such equally how a vulnerability compromises an operating organization, accounts for archetype CIA principles, and and so allows each site to consider the placement and importance of that computer to the organization. It's both quantitative and qualitative.

So What Now?

You now know which risks affect you the most. This is your risk contour. At present you have to prioritize the risks based on the potential loss and deal with them in turn (run into Table 3.2).

Tabular array iii.2. Prioritizing Business Risks

Threat Annual Expected Loss ($) Priority
Loss of concern due to flooding 10,000,000 1
Loss of business due to fire 500,000 2
Loss of business organisation due to DDoS attack 400,000 3

For each threat, you take the post-obit choices:

Take the risk Brand certain that the directors of the company formally document that it is a gamble that they are prepared to take. A member of the senior direction team waving his mitt saying "It'll never happen" isn't quite the same.

Transfer the risk Typically, this ways insurance, only it can mean outsourcing—for example, outsourcing the plant to a bigger system that can provide culling processing facilities every bit part of the deal.

Counter, reduce, or manage the hazard This ways fixing the problem. Apparently the fix needs to cost less than the fiscal impact.

The ane thing yous tin can't let happen is for direction to ignore the run a risk. This process is known as your risk treatment.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597491105500105

Information Governance and Chance Management

Timothy Virtue , Justin Rainey , in HCISPP Study Guide, 2015

1.

A structure consisting of policies, processes, procedures, behaviors, and technologies designed to help with managing data throughout its life cycle is defined as:

a.

Authoritative safeguards

b.

Privacy and security governance

c.

Concrete safeguards

d.

Information governance

2.

Actions, policies, and procedures involved in the pick, development, implementation, and maintenance of security measures are divers as:

a.

Authoritative safeguards

b.

Privacy and security governance

c.

Physical safeguards

d.

Information governance

3.

The Chief Information Officer is:

a.

The highest-level official within an arrangement with overall responsibility for providing information security protections

b.

Responsible for designating a senior data security officer

c.

Responsible for carrying out master information security responsibilities

d.

An organizational official with statutory, direction, or operational authorisation for specified data and the responsibility for establishing the policies and procedures governing its generation, drove, processing, dissemination, and disposal

4.

The organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system is:

a.

Authorizing official

b.

Information possessor/steward

c.

Information arrangement owner

d.

Master Information Officer

five.

NIST SP 800-39 outlines approaches to data security governance that include all of the following except:

a.

Centralized

b.

Hybrid

c.

Decentralized

d.

Uniform

6.

The International Organization for Standardization:

a.

Has published an information governance toolkit designed to enable organizations and partners to assess compliance with the various laws, policies, and standards associated with data governance

b.

Is responsible for the SP 800 serial (figurer security) and SP 500 series (it) publications relating to computer security

c.

Is responsible for publication of the 27002:2005 and 27799:2008 standards

d.

a and c

7.

Framing involves:

a.

Understanding the environment in which the organization operates

b.

Understanding take chances tolerance to ensure run a risk is appropriately framed

c.

Assessing risk to place threats, vulnerabilities, potential impact, and likelihood of harm

d.

Evaluating take chances over time for the purpose of evaluating control effectiveness, identifying system and environment changes that create risk, and ensuring hazard responses are implemented in alignment with business objectives, regulatory requirements, and security and privacy policies, standards, and guidelines

8.

Qualitative assessments:

a.

Involve not-numerical categories or levels (eastward.g., low, moderate, loftier) and can be more than effective when communicating with stakeholders

b.

Involve an analysis largely involving numbers (e.grand., $ten,000, $50,000, $100,000), visible properties, and statistics and a fix of methods, principles, or rules for assessing gamble

c.

a and b

d.

None of the above

9.

Annual loss expectancy (ALE) is:

a.

The anticipated frequency that a unmarried loss expectancy (SLE) event is projected to occur in a 12-month period

b.

The expected loss over a 12-month menses based on the SLE of an upshot and the annual charge per unit of occurrence (ARO)

c.

ALE = SLE × ARO

d.

b and c

10.

A vulnerability is:

a.

Any consequence with the potential to adversely impact the confidentiality, integrity, or availability of information systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service

b.

Whatever weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat

c.

A mensurate of the extent to which an organization is threatened past a particular event

d.

a and c

11.

A hazard is:

a.

Any event with the potential to adversely bear on the confidentiality, integrity, or availability of data systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service

b.

Any weakness in an information organisation such as servers, networks, and infrastructure that could exist intentionally or unintentionally exploited by a threat

c.

A measure out of the extent to which an organization is threatened past a particular event

d.

a and c

12.

Risk treatment more often than not involves the following options:

a.

Transfer, acceptance, mitigate, eliminate

b.

Acceptance, transmit, mitigate, deflect

c.

Avoid, transfer, eliminate, manage

d.

Mitigate, transfer, credence, avoid

13.

Which one of the following formulas is incorrect?

a.

Managed take a chance = residual risk − inherent risk

b.

SLE = asset value × exposure

c.

ALE = SLE − ARO

d.

a and c

14.

Controls are:

a.

Whatever weakness in an information arrangement such as servers, networks, and infrastructure that could exist intentionally or unintentionally exploited by a threat

b.

Techniques, methods, policies, standards, processes, procedures, guidelines, and concrete devices designed to increment the vulnerability of an information asset

c.

Techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to subtract the vulnerability of an information asset

d.

Techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to maintain the vulnerability of an information asset

15.

Likelihood is:

a.

The expected harm or damage to an arrangement resulting from the successful exploitation of a vulnerability

b.

The probability a vulnerability volition be motivated and capable of exploiting a threat

c.

A measure of the extent to which an organisation is threatened by a particular event

d.

None of the above

16.

The categorization of data systems, selection, implementation, and cess of security controls, authorization of information systems, and monitoring of security controls are steps included in the:

a.

Data governance process

b.

Organization development life cycle

c.

IT governance process

d.

Data chance management life cycle

17.

Intangible loss involves:

a.

Directly (existent) value of physical assets including revenue and server or facility costs

b.

Indirect value such as brand, reputation, and loss of prospective customers and intellectual property

c.

Indirect value such as revenue and server or facility costs

d.

None of the to a higher place

18.

The information arrangement evolution life wheel includes the following phases:

a.

Initiation, evolution/conquering, monitoring, disposal

b.

Disposal, initiation, operational/maintenance, development/acquisition

c.

Categorization, pick, implementation, authorization, monitoring

d.

Selection, implementation, monitoring, disposal

19.

Centralized governance is divers equally:

a.

Dominance, responsibility, and decision-making powers that are distributed between a central torso and individual subordinate organizations

b.

Structure (or framework) consisting of policies, processes, procedures, behaviors, and technologies designed to help with managing information throughout its life cycle in a manner consistent with stakeholder expectations

c.

Authorization, responsibility, and decision-making powers that are vested solely within central bodies

d.

Dominance, responsibility, and decision-making powers that are vested in and delegated to individual subordinate organizations within the parent organization

20.

Risk transfer involves:

a.

A determination to avoid taking actions or activities that would create new take chances for the organization

b.

Conclusion to accept a particular risk and its associated losses assuming it falls inside an system's risk tolerance

c.

Decision to reduce vulnerabilities through implementation of additional authoritative, concrete, and/or technical safeguards

d.

None of the to a higher place

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780128020432000057

Information Security Chance Assessments

Mark Talabis , Jason Martin , in Information Security Risk Assessment Toolkit, 2013

Determine Touch on

In all adventure assessment frameworks that y'all will run across, there will exist in some form or another, a measurement of bear on. As previously mentioned, impact is the effect, typically harmful, of a threat applied to an asset. This is also ane of the primary components for calculating a risk rating.

The objective of this activeness is to produce a measurement for impact. This volition be part of an bear upon and likelihood matrix, which will ultimately produce your gamble ratings. There are many different means to make up one's mind touch and contrary to what you may read in some literature at that place is no single correct method for determining impact.

Quantitative risk assessments, deal with estimating loss based on a financial perspective by using calculations like Unmarried Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE). As an example, a HIPAA violation not due to willful neglect carries a penalisation of $100 for each violation, with the full amount not to exceed $250,000; therefore, we know that if a database with several thousand patient records was compromised, the impact to your organization will be $25,000. But if this was due to willful neglect, the bear on could be equally much as $one.5 1000000. This may be the near objective mode to determine impact, only in reality, this is highly dependent on information that may non e'er be readily bachelor.

Qualitative decision of impact differs from quantitative in that qualitative risk assessments practice not effort to put a financial value to the nugget and the subsequent monetary losses stemming from the threat. In this approach one measures relative values. For example, if we take a health information system that handles all enterprise wide information processing, a business organization owner might say that losing the organization will affect virtually all operations of the infirmary. In this scenario, one might not exist able to assign an accurate monetary value without going through infirmary financials and working closely with the accounting department, which for all intents and purposes, though helpful, is not the main objective of an information security risk cess. In qualitative analysis you would typically assign a relative value. This would exist a statement such as "Loss of system availability for the target organization will have a HIGH impact in terms of availability of information processing across the organisation and could crusade significant financial losses."

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597497350000014