a. Security is relative to each organization.
b. Security is inversely related to complexity.
c. Security should be layered and have diverse defenses.
d. Security should be based on minimal privileges.
115. b. Security is inversely related to complexity; the more complex a system, the more difficult it is to secure. This is the focus of the safeguard titled “minimal functionality.” Security should be relative to each organization and must take into account an organization’s specific needs, budget, and culture. Security is not absolute. This is the focus of the safeguard titled “risk analysis and management.” Defending an information system requires safeguards to be applied not only at points of entry, but also throughout. This is the focus of the safeguard titled “layered and diverse defenses.” The principle of least (minimum) privilege states that programs should operate only with the privileges needed to accomplish their functions. This is the focus of the safeguard titled “least privilege.”
116. Residual risk is calculated as which of the following?
a. Known risks minus unknown risks
b. Actual risks minus probable risks
c. Probable risks minus possible risks
d. Potential risks minus covered risks
116. d. Potential risks include all possible and probable risks. Countermeasures cover some, but not all risks. Therefore, the residual risk is potential risks minus covered risks.
117. Which of the following is the correct equation in risk management?
a. Risk management = Risk research + Risk analysis + Risk evaluation
b. Risk management = Risk analysis + Risk avoidance + Risk evaluation
c. Risk management = Risk assessment + Risk mitigation + Risk evaluation
d. Risk management = Risk transfer + Risk acceptance + Risk evaluation
117. c. Risk management includes risk assessment, risk mitigation, and risk evaluation. Risk assessment is also called risk analysis. Risk mitigation includes risk transfer (risk assignment), risk reduction, risk avoidance, risk sharing, risk limitation, and risk acceptance. Risk research is a part of risk analysis. Risk evaluation focuses on ongoing risk assessment.
118. What can be done with the residual risk?
a. It can be either assigned or accepted.
b. It can be either identified or evaluated.
c. It can be either reduced or calculated.
d. It can be either exposed or assessed.
118. a. Residual risk is the remaining risk after countermeasures (controls) cover the risk population. The residual risk is either assigned to a third party (e.g., insurance company) or accepted by management as part of doing business. It may not be cost-effective to further reduce residual risk.
119. Which of the following is not part of risk analysis?
a. Assets
b. Threats
c. Vulnerabilities
d. Countermeasures
119. d. Actual implementation of countermeasures and safeguards takes place after performing risk analysis. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that could mitigate this impact. Assets, threats, and vulnerabilities are part of the risk analysis exercise.
120. Unacceptable risk is which of the following?
1. Attacker’s cost < gain
2. Loss anticipated > threshold
3. Attacker’s cost > gain
4. Loss anticipated < threshold
a. 1 and 2
b. 2 and 3
c. 1 and 4
d. 3 and 4
120. a. Unacceptable risk is a situation where an attacker’s cost is less than gain and where loss anticipated by an organization is greater than its threshold level. The organization’s goals should be to increase an attacker’s cost and to reduce an organization’s loss.
121. Security safeguards and controls cannot do which of the following?
a. Risk reduction
b. Risk avoidance
c. Risk transfer
d. Risk analysis
121. d. Risk analysis identifies the risks to system security and determines the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. Risk analysis is a management exercise performed before deciding on specific safeguards and controls. The other three choices are a part of risk mitigation, which results from applying the selected safeguards and controls. Risk avoidance includes risk reduction and risk transfer is assigning risk to a third party.
122. Selection and implementation of security controls refer to which of the following?
a. Risk analysis
b. Risk mitigation
c. Risk assessment
d. Risk management
