CISSP Practice полностью

133. Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?

a. Risk assessment audits

b. Delphi method

c. Expert systems

d. Scenario-based threats

133. b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as the one reached by a group of experts in the Delphi method. Usually, one or two individuals perform audits, not groups. Expert systems are incorrect because they are computer-based systems developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments makes the Delphi method more useful than the other methods.

134. The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats?

a. Single-occurrence losses

b. Annualized loss expectancy

c. Fatal losses

d. Catastrophic losses

134. b. The annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

Single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat being analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high; it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life, and catastrophic loss incurs great financial loss. In short, the ALE is useful for addressing relatively frequent threats, whereas SOL and fatal or catastrophic losses address rare threats.

135. Surveys and statistics indicate that the greatest threat to any computer system is:

a. Untrained or negligent users

b. Vendors and contractors

c. Hackers and crackers

d. Employees

135. d. Employees of all categories are the greatest threat to any computer system because they are trusted the most. They have access to the computer system, they know the physical layout of the area, and they could misuse the power and authority. Most trusted employees have an opportunity to perpetrate fraud if the controls in the system are weak. The consequence of untrained or negligent users is the creation of errors and other minor inconveniences.

Although vendors and contractors are a threat, they are not as great a threat as employees are. With proper security controls, threats arising from hackers and crackers can be minimized, if not completely eliminated. Hackers and crackers are the same, and they access computer systems for fun and/or damage.

136. Risk management consists of risk assessment and risk mitigation. Which of the following is not an element of risk mitigation?

a. Measuring risk

b. Selecting appropriate safeguards

c. Implementing and test safeguards

d. Accepting residual risk