Term
|
Definition
A potential future undesirable state without complete identification of cause. It should not be confused with "threat". |
|
|
Term
|
Definition
The systematic process of identifying hazards and quantifying their potential adverse consequences (magnitude, spatial scale, duration, and intensity) and associated probabilities, including the uncertainties surrounding these estimates. |
|
|
Term
What is risk communication? |
|
Definition
The process used by risk analysts, decision makers, policy makers, and intelligent adversaries to provide data, information, and knowledge to change the risk perceptions of individuals and organizations and enable them to assess the risk more accurately than they otherwise might. |
|
|
Term
What a four ways to respond to risk? |
|
Definition
1. Risk reduction: avoid being a target 2. Control Mechanisms: implement safeguards 3. Risk acceptance: Live with it. 4. Risk Re-assignment (transfer): get insurance. |
|
|
Term
What is a risk-based exclusion? |
|
Definition
Risk of introducing security mechanism to systems concept of operations introduces greater threat of functionality loss or enterprise liability, hence are eliminated as alternatives. |
|
|
Term
What is the purpose of value chain methodology? |
|
Definition
To identify the elements of the chain most likely to be targeted. The attacker's view may be different than the defender. |
|
|
Term
What is the goals of an economic approach to risk? |
|
Definition
To balance security investment with the acceptanle economic risk of the mission or asset. |
|
|
Term
What is the security investment in a capability? |
|
Definition
The direct cost of the security plus the economic cost of any impairments to the system. |
|
|
Term
Can a system preserve value without security? |
|
Definition
False. A system needs security to preserve value. |
|
|
Term
Should security be viewed as a systemic feature or a countermeasure? |
|
Definition
|
|
Term
Five example threat assessment strategies |
|
Definition
1. brainstorm about the types of individuals who would benefit from stealing or destroying an asset 2. vulnerability network and software scans 3. control self-assessments 4. break down high level threats using attack trees that start with a high level description of the attack and provide granularity with respect to alternatives for the steps the attacker would need to perform 5. search the Internet for proprietary information belonging to the company |
|
|
Term
What are the four parts to estimating the impact of a problem? |
|
Definition
1. quantify cost of time spent investigating the root cause of the problem 2. quantify cost of equipment and time spent repairing damage and restoring activities 3. estimate loss in productivity due to system downtime 4. estimate loss of business due to reputational impact of incident |
|
|
Term
How can estimate the cost of a risk? |
|
Definition
Expected frequency * probability of secuess * cost if successful. |
|
|
Term
Main parts of a Risk Analysis for a Security Feature |
|
Definition
1. Calculate cost of risk without security feature 2. Calculate cost of residual risk with security feature 3. Subtract cost of residual risk from cost of risk. 4. Security feature must cost less than this. |
|
|
Term
|
Definition
Cost Benefit Analysis = Assumed Benefits/Cost.
Good if greater than one. |
|
|
Term
|
Definition
Return on investment = (Benefits - cost)/cost.
Good if greater than zero. |
|
|
Term
|
Definition
Net present value (two years) = -cost + (benefit - operating cost)/(interest rate) + (benefit - operating cost)/(interest rate)^2
Good if greater than zero. |
|
|
Term
|
Definition
Internal rate of return = the interest rate that would make the NPV zero.
Good if greater than the expected interested rate. |
|
|
Term
What are the five stages of decision analysis? |
|
Definition
1. Preanalysis: decision-maker identification 2. Structural analysis: the decision-maker structures the problem as a series of decisions and events, where the certainty level of events is affected by decisions 3. Uncertainty Analysis: event probabilities are assigned 4. Utility or value analysis: consequences are identified for alternative decisions-event sequences, and the values of those consequences are estimated 5. Optimization analysis: calculation of the strategy |
|
|