Lecture 8: Risk Management

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/61

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 9:00 AM on 6/9/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

62 Terms

1
New cards

Risk

The potential for loss or damage to an organization resulting from a threat exploiting a vulnerability

2
New cards

Which two factors is risk measured by?

How likely it is to occur (likelihood) and the damage it could cause (impact)

3
New cards

Risk Management

The process of identifying, assessing, and reducing risks that could affect an organization

4
New cards

What are the key steps in risk management?

Risk identification, risk assessment, risk response, risk monitoring

5
New cards

Risk Appetite

The maximum level of risk an organization is willing to tolerate

6
New cards

What are the types of risk appetite?

Expansionary, conservative, neutral

7
New cards

Expansionary Risk Appetite

Accepts higher risk for growth

8
New cards

Conservative Risk Appetite

Avoids risks and prioritizes stability

9
New cards

Neutral Risk Appetite

Balanced approach between expansionary and conservative

10
New cards

Risk Posture

The overall level of risk an organization is exposed to; helps prioritize risk response strategies

11
New cards

Risk Identification

The process of finding potential cybersecurity threats and vulnerabilities (risks)

12
New cards

What are the methods used in risk identification?

Vulnerability assessments, penetration testing, security audits, and threat intelligence

13
New cards

Risk Assessment

Analyzes the likelihood and impact of already identified risks and determines its severity in relation to the organization; helps prioritize risks and decide how to manage them

14
New cards

Inherent Risk

The level of risk before any security controls or mitigation are applied

15
New cards

What are the types of risk assessment?

Ad hoc, one-time, recurring, continuous

16
New cards

Ad Hoc Risk Assessment

Done when needed

17
New cards

One-Time Risk Assessment

Conducted once, often during a new system implementation

18
New cards

Recurring Risk Assessment

Done regularly (monthly, quarterly, annually)

19
New cards

Continuous Risk Assessment

Ongoing monitoring using automated tools

20
New cards

Which approaches can risk assessment be classified into?

Qualitative risk analysis and quantitative risk analysis

21
New cards

Quantitative Risk Analysis

Based on numerical values, calculations, and financial data to estimate potential monetary loss caused by risk

22
New cards

What are key concepts in quantitative risk assessment?

Single loss expectancy (SLE), annualized loss expectancy (ALE), annual rate of occurrence (ARO)

23
New cards

Single Loss Expectancy

Loss caused by one risk/incident

24
New cards

Annualized Loss Expectancy

Expected yearly loss; helps decide if security controls are worth it

25
New cards

Annual Rate of Occurrence

How often the risk happens in a year

26
New cards

Qualitative Risk Analysis

Simple and quick way to assess risks using subjective judgement; based on expert judgement and experience

27
New cards

What is part of the risk response?

Mitigation, avoidance, transference, acceptance

28
New cards

Mitigation

Reduces likelihood or impact of risks; e.g., fire alarms, sprinklers, etc.

29
New cards

Avoidance

Eliminates risky activities altogether; e.g., stop selling insecure software to avoid liability

30
New cards

Transference

Shifts risk to third parties (e.g., insurance, outsourcing)

31
New cards

Acceptance

Accepts minor risk when mitigation isn't justified; used when costs are greater than potential loss

32
New cards

Accept with Exemption

A required security policy or regulation cannot be followed due to constraints like system limitations or organizational factors

33
New cards

Accept with Exception

An internal security policy is temporary not applied due to operational issues or system conflicts

34
New cards

Residual Risk

Risk monitoring after mitigation measures are applied; the final level of risk that cannot be fully eliminated

35
New cards

Risk Monitoring

Continuous process of tracking and reviewing identified risks and controls

36
New cards

What are the key activities in risk monitoring?

Monitoring existing risks, reviewing effectiveness of controls, detecting new or changing risks

37
New cards

Risk Register

A central document that tracks all identified risks and mitigation strategies

38
New cards

What does the risk register help stakeholders with?

Monitoring, prioritizing, and managing risks effectively

39
New cards

What does a risk register typically include?

Risk description, likelihood & impact, risk owner, mitigation controls, status & escalation path

40
New cards

Penetration Testing

Authorized simulated cyberattack used to identify exploitable security weaknesses; AKA ethical hacking

41
New cards

What is the purpose of penetration testing?

To test the effectiveness of security controls and identify vulnerabilities before attackers exploit them

42
New cards

How does penetration testing support risk management?

By finding vulnerabilities and helping assess how serious the risks are

43
New cards

What are the penetration testing types based on knowledge level?

White box, grey box, black box

44
New cards

White Box

Known penetration testing; full knowledge of the system

45
New cards

Grey Box

Partially known penetration testing; limited knowledge of the system

46
New cards

Black Box

Unknown penetration testing; no prior knowledge, simulates real attacker

47
New cards

What are the penetration testing types based on testing approach?

Offensive, defensive, physical testing, integrated penetration testing

48
New cards

Offensive Testing

Red team; simulates attacks, finds vulnerabilities, attacker-focused

49
New cards

Defensive Testing

Blue team; tests controls, detection, and incident response

50
New cards

Physical Testing

Assesses physical security; uses social engineering, tailgating, lock picking

51
New cards

Integrated Penetration Testing

Combines different types of penetration testing techniques

52
New cards

Business Impact Analysis

A process used to identify and evaluate the potential effects of disruptions on an organization's critical operations

53
New cards

What are the critical systems and assets in BIA?

People, tangible assets, intangible assets, procedures

54
New cards

What are the business functions in BIA?

Mission Essential Functions (MEF) and Primary Business Function (PBF)

55
New cards

Mission Essential Functions

Cannot be deferred; must be restored first after disruption

56
New cards

Primary Business Function

Supportive but not critical

57
New cards

What are key metrics of BIA?

Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Recovery Point Objective (RPO), WRT (Work Recovery Time)

58
New cards

Maximum Tolerable Downtime

Longest time a process or system can be down before causing serious harm

59
New cards

Recovery Time Objective

Time required to restore systems after a disruption; set within MTD to ensure timely recovery

60
New cards

Recovery Point Objective

Maximum acceptable data loss after a disruption

61
New cards

Work Recovery Time

Time to reintegrate processes and resume all operations; focuses on people and processes after system recovery

62
New cards

What must not exceed MTD?

RTO and WRT