CYBR 7300 Ch07 Flashcards

Defense Risk Treatment Strategy

The risk treatment strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards in an effort to change the likelihood of a successful attack on an information asset; also known as the Avoidance Strategy

Avoidance Strategy

See “Defense Risk Treatment Strategy“

Transference Risk Treatment Strategy

The risk treatment strategy that attempts to shift risk to other assets, other processes, or other organizations.

Mitigation Risk Treatment Strategy

The risk treatment strategy that attempts to reduce the impact of the loss caused by an incident, disaster, or attack through effective contingency planning and preparation.

Acceptance Risk Treatment Strategy

The risk treatment strategy that indicates the organization is willing to accept the current level of residual risk; as a result, the organization makes a conscious decision to do nothing else to protect an information asset from risk and to accept the outcome from any resulting exploitation.

Termination Risk Treatment Strategy

The risk treatment strategy that eliminates all risk associated with an information asset by removing it from service.

Cost Avoidance

The financial savings from using the defense risk treatment strategy to implement a control and eliminate the financial ramifications of an incident.

Cost-Benefit Analysis (CBA)

Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization.

Asset Valuation

The process of assigning financial value or worth to each information asset.

Single Loss Expectancy (SLE)

In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack (impact); the product of the asset’s value and the exposure factor.

Annualized Rate of Occurrence (ARO)

In a Cost-Benefit Analysis, the expected frequency of an attack, expressed on a per-year basis.

Annualized Loss Expectancy (ALE)

In a Cost-Benefit Analysis, the product of the annualized rate of occurrence and single-loss expectancy.

Organizational Feasibility

An examination of how well a particular solution fits within the organization’s strategic planning objectives and goals.

Operational Feasibility

An examination of how well a particular solution fits within the organization’s culture and the extent to which users are expected to accept the solution; also known as behavioral feasibility.

Behavioral Feasibility

See “Operational Feasibility“

Technical Feasibility

An examination of how well a particular solution is supportable given the organization’s current technological infrastructure and resources, which include hardware, software, networking, and personnel.

Political Feasibility

An examination of how well a particular solution fits within the organization’s political environment—for example, the working relationship within the organization’s communities of interest or between the organization and its external environment.

Delphi Technique

Named for an oracle in Greece that predicted the future, it’s a process whereby a group rates or ranks a set of information; individual responses are then compiled and returned to the group for repeated iterations until the entire group is satisfied with the result.

Exposure Factor

The percentage loss that would occur from a given vulnerability being exploited.

Factor Analysis of Information Risk (FAIR)

A risk management framework developed by Jack A. Jones that can help organizations understand, analyze, and measure information risk, resulting in more cost-effective information risk management, greater credibility for the InfoSec profession, and a foundation from which to develop a scientific approach to information risk management.

ISO 31000

A Risk Management framework standard that provides a structured methodology for evaluating threats to economic performance in an organization.

Microsoft Risk Management

Microsoft-provisioned security risk management guide that asserts that risk management should be part of a general governance program to allow the organizational general-management community of interest to evaluate the organization’s operations and improve their decision-making. Contains 4 Phases: Assessing risk, Conducting decision support, Implementing controls, & Measuring program effectiveness.

NIST Risk Management Framework (RMF)

A process that organizations can use to frame risk decisions, assess risk, respond to risk when identified, and then monitor risk for ongoing effectiveness and continuous improvement to the risk management process; the intent is to offer a complete and organization-wide approach that integrates risk management into all operations and decisions.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method

An InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls

Political Feasibility

An examination of how well a particular solution fits within the organization’s political environment—for example, the working relationship within the organization’s communities of interest or between the organization and its external environment.

Qualitative Valuation

A Risk Evaluation method that involves observation and estimations of the value of assets, liabilities, operations, and other “soft” data using subjective judgement on non-quantifiable data.