122. b. Risk mitigation involves the selection and implementation of security controls to reduce risks to an acceptable level. Risk analysis is the same as risk assessment. Risk management includes both risk analysis and risk mitigation.
123. Which of the following is closely linked to risk acceptance?
a. Risk detection
b. Risk prevention
c. Risk tolerance
d. Risk correction
123. c. Risk tolerance is the level of risk an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do because of their personal affinity toward risk.
124. The amount of risk an organization can handle should be based on which of the following:
a. Technological level
b. Acceptable level
c. Affordable level
d. Measurable level
124. b. Often, losses cannot be measured in monetary terms alone, such as loss of customer confidence and loyalty. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology dependent or not).
125. In terms of information systems security, a risk is defined as which of the following combinations?
a. Attack plus vulnerability
b. Threat plus attack
c. Threat plus vulnerability
d. Threat plus breach
125. c. Vulnerability is a weakness in security policy, procedure, personnel, management, administration, hardware, software, or facilities affecting security that may allow harm to an information system. The presence of vulnerability does not in itself cause harm. It is a condition that may allow the information system to be harmed by an attack. A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction or modification of data or denial-of-service. An attack is an attempt to violate data security. A risk is the probability that a particular threat can exploit a particular vulnerability of a system. An exposure is an instance of vulnerability in which losses may result from the occurrence of one or more attacks. A countermeasure is any action, control, device, procedure, technique, or other measure that reduces the vulnerability of a threat to a system. A breach is the successful circumvention or disablement of a security control, with or without detection, which if carried to completion, could result in a penetration of the system.
126. Risk management is made up of primary and secondary activities. Which of the following is an example of a secondary activity?
a. Risk analysis data
b. Risk assessment
c. Risk mitigation
d. Risk methodology
126. a. Risk management must often rely on speculation, best guesses, incomplete data, and many unproven assumptions. The risk-based data are another source of uncertainty and are an example of a secondary activity. Data for risk analysis normally come from two sources: statistical data and expert analysis. Both have shortcomings; for example, the sample may be too small, or expert analysis may be subjective based on assumptions made.
Risk assessment, the process of analyzing and interpreting risk, is composed of three basic activities: (i) determining the assessment’s scope and methodology, (ii) collecting and synthesizing data, and (iii) interpreting the risk. A risk assessment methodology should be a relatively simple process that could be adapted to various organizational units and involves a mix of individuals with knowledge of the business operations and technical aspects of the organization’s systems and security controls.
Risk mitigation involves the selection and implementation of cost-effective security controls to reduce risk to a level acceptable to management, within applicable constraints. Risk methodology is a part of risk assessment. It can be formal or informal, detailed or simplified, high or low level, quantitative (computationally based) or qualitative (based on descriptions or rankings), or a combination of these. No single method is best for all users and all environments. The other three choices are examples of primary activities.
127. From a risk management viewpoint, which of the following options is not acceptable?
a. Accept the risk
b. Assign the risk
c. Avoid the risk
d. Defer the risk
127. d. “Deferring risk” means either ignoring the risk at hand or postponing the issue until further consideration. If the decision to defer the risk is a calculated one, it is hoped that management had the necessary data.
