Term
|
Definition
| A potential future undesirable state without complete identification of cause. It should not be confused with "threat". |
|
|
Term
|
Definition
| The systematic process of identifying hazards and quantifying their potential adverse consequences (magnitude, spatial scale, duration, and intensity) and associated probabilities, including the uncertainties surrounding these estimates. |
|
|
Term
| What is risk communication? |
|
Definition
| The process used by risk analysts, decision makers, policy makers, and intelligent adversaries to provide data, information, and knowledge to change the risk perceptions of individuals and organizations and enable them to assess the risk more accurately than they otherwise might. |
|
|
Term
| What a four ways to respond to risk? |
|
Definition
1. Risk reduction: avoid being a target
2. Control Mechanisms: implement safeguards
3. Risk acceptance: Live with it.
4. Risk Re-assignment (transfer): get insurance. |
|
|
Term
| What is a risk-based exclusion? |
|
Definition
| Risk of introducing security mechanism to systems concept of operations introduces greater threat of functionality loss or enterprise liability, hence are eliminated as alternatives. |
|
|
Term
| What is the purpose of value chain methodology? |
|
Definition
| To identify the elements of the chain most likely to be targeted. The attacker's view may be different than the defender. |
|
|
Term
| What is the goals of an economic approach to risk? |
|
Definition
| To balance security investment with the acceptanle economic risk of the mission or asset. |
|
|
Term
| What is the security investment in a capability? |
|
Definition
| The direct cost of the security plus the economic cost of any impairments to the system. |
|
|
Term
| Can a system preserve value without security? |
|
Definition
| False. A system needs security to preserve value. |
|
|
Term
| Should security be viewed as a systemic feature or a countermeasure? |
|
Definition
|
|
Term
| Five example threat assessment strategies |
|
Definition
1. brainstorm about the types of individuals who would benefit from stealing or destroying an asset
2. vulnerability network and software scans
3. control self-assessments
4. break down high level threats using attack trees that start with a high level description of the attack and provide granularity with respect to alternatives for the steps the attacker would need to perform
5. search the Internet for proprietary information belonging to the company |
|
|
Term
| What are the four parts to estimating the impact of a problem? |
|
Definition
1. quantify cost of time spent investigating the root cause of the problem
2. quantify cost of equipment and time spent repairing damage and restoring activities
3. estimate loss in productivity due to system downtime
4. estimate loss of business due to reputational impact of incident |
|
|
Term
| How can estimate the cost of a risk? |
|
Definition
| Expected frequency * probability of secuess * cost if successful. |
|
|
Term
| Main parts of a Risk Analysis for a Security Feature |
|
Definition
1. Calculate cost of risk without security feature
2. Calculate cost of residual risk with security feature
3. Subtract cost of residual risk from cost of risk.
4. Security feature must cost less than this. |
|
|
Term
|
Definition
Cost Benefit Analysis = Assumed Benefits/Cost.
Good if greater than one. |
|
|
Term
|
Definition
Return on investment = (Benefits - cost)/cost.
Good if greater than zero. |
|
|
Term
|
Definition
Net present value (two years) = -cost + (benefit - operating cost)/(interest rate) + (benefit - operating cost)/(interest rate)^2
Good if greater than zero. |
|
|
Term
|
Definition
Internal rate of return = the interest rate that would make the NPV zero.
Good if greater than the expected interested rate. |
|
|
Term
| What are the five stages of decision analysis? |
|
Definition
1. Preanalysis: decision-maker identification
2. Structural analysis: the decision-maker structures the problem as a series of decisions and events, where the certainty level of events is affected by decisions
3. Uncertainty Analysis: event probabilities are assigned
4. Utility or value analysis: consequences are identified for alternative decisions-event sequences, and the values of those consequences are estimated
5. Optimization analysis: calculation of the strategy |
|
|
