86. To estimate the losses likely to occur when a threat is realized or a vulnerability is exploited, which of the following loss categories allow management the best means to estimate their potential losses?
a. Single occurrence loss, actual loss
b. Expected loss, catastrophic loss
c. Catastrophic loss, actual loss
d. Expected loss, single occurrence loss
86. d. Two loss categories are usually identified, including (i) losses caused by threats with reasonably predictable occurrence rates, referred to as expected losses expressed as dollars per year and are computed as the product of occurrence rate, loss potential, and vulnerability factor, and (ii) losses caused by threats with a very low rate of occurrence (low-probability) that is difficult to estimate but the threat would cause a very high loss if it were to occur (high-consequence risk), referred to as a single occurrence loss and is expressed as the product of loss potential, vulnerability factor, and asset value. A catastrophic loss is referred to as a loss greater than its equity. An actual loss is the amount of assets or lives lost. Both catastrophic loss and actual loss do not enter into risk assessment because they are not estimable.
87. From a security accountability viewpoint, which of the following pose a security risk?
a. Executives and contractors
b. Full-time employees and contingent workers
c. Executives and full-time employees
d. Vendors and consultants
87. b. Most executives have an employment contract listing security policies, practices, procedures, and penalties for noncompliance of such policies and practices. Contractors, vendors, and consultants are bound by formal rules of engagement. Full-time employees operate under an employment-at-will arrangement; employees have no formal contract and can leave the company or the employer can terminate employment at any time. Contingent workers are part-time and short-time workers (temporary) and have no formal contract. In the absence of a formal contract or rules of engagement, it is difficult for the company to enforce or punish the full-time employees and contingent workers if they violate security policies and practices. Therefore, full-time employees and contingent workers are not truly accountable for the security in the absence of a formal contract (i.e., not legally bound and not enforceable), thus posing a security risk to the company.
88. What is the last thing to do upon friendly termination of an employee?
a. Conduct an exit interview.
b. Disable computer access immediately.
c. Take possession of keys and cards.
d. Send the employee to a career counselor.
88. d. The safest and first thing to do is to (i) disable computer access immediately, which should be a standard procedure, (ii) conduct an exit interview, and (iii) take possession of access keys and cards. The employee can be sent to a career counselor afterward (last thing).
89. Which of the following statements is true about data classification and application categorization for sensitivity?
a. Data classification and application categorization is the same.
b. There are clear-cut views on data classification and application categorization.
c. Data classification and application categorization must be organization-specific.
d. It is easy to use simple data classification and application categorization schemes.
89. c. No two organizations are the same, and it is especially true in cross-industries. For example, what works for a governmental organization may not work for a commercial organization. An example of data classification is critically sensitive, highly sensitive, sensitive, and nonsensitive.
90. What is the least effective technique for continually educating users in information systems security?
a. Presenting security awareness video programs
b. Posting policies on the intranet websites
c. Presenting one-size-fits-all security briefings
d. Declaring security awareness days
90. c. It is good to avoid a one-size-fits-all type of security briefing. It is important to relate security concerns to the specific risks faced by users in individual business units or groups and to ensure that security is an everyday consideration. Lax security can cost money and time. Security awareness is inexpensive and less time-consuming compared to installing security countermeasures.
