CISSP Practice полностью

d. Risk correction

5. c. Risk tolerance is the level of risk that an entity or a manager is willing to assume or accept to achieve a potential desired result. Some managers accept more risk than others do due to their personal affinity toward risk.

6. The amount of risk an organization can handle should be based on which of the following?

a. Technological level

b. Acceptable level

c. Affordable level

d. Measurable level

6. b. Often, losses cannot be measured in monetary terms alone. Risk should be handled at an acceptable level for an organization. Both affordable and technological levels vary with the type of organization (e.g., small, medium, or large size and technology-dependent or not).

7. Which of the following methods for handling a risk involves a third party?

a. Accept risk

b. Share risk

c. Reduce risk

d. Transfer risk

7. d. An insurance company or a third party is involved in transferring risk. The other three choices do not involve a third party because they are handled within an organization. One division’s risk can be shared by other divisions of an organization.

8. Which of the following security risk assessment techniques uses a group of experts as the basis for making decisions or judgments?

a. Risk assessment audits

b. Delphi method

c. Expert systems

d. Scenario-based threats

8. b. The Delphi method uses a group decision-making technique. The rationale for using this technique is that it is sometimes difficult to get a consensus on the cost or loss value and the probabilities of loss occurrence. Group members do not meet face-to-face. Rather, each group member independently and anonymously writes down suggestions and submits comments that are then centrally compiled. This process of centrally compiling the results and comments is repeated until full consensus is obtained.

Risk assessment audits are incorrect because these audits do not provide the same consensus as the one reached by a group of experts available in the Delphi method. Usually, one or two individuals perform audits, not groups. Expert system is incorrect because it is a computer-based systems developed with the knowledge of human experts. These systems do not reach a consensus as a group of people. Scenario-based threats are incorrect because possible threats are identified based on scenarios by a group of people. However, this system does not have the same consensus reached as in the Delphi method. The process of submitting results and comments make the Delphi method more useful than the other methods.

9. The costs and benefits of security techniques should be measured in monetary terms where possible. Which of the following is the most effective means to measure the cost of addressing relatively frequent threats?

a. Single-occurrence losses

b. Annual loss expectancy

c. Fatal losses

d. Catastrophic losses

9. b. Annualized loss expectancy (ALE) is the estimated loss expressed in monetary terms at an annual rate, for example, dollars per year. The ALE for a given threat with respect to a given function or asset is equal to the product of the estimates of occurrence rate, loss potential, and vulnerability factor.

A single-occurrence loss (SOL) is incorrect because it is the loss expected to result from a single occurrence of a threat. It is determined for a given threat by first calculating the product of the loss potential and vulnerability factor for each function and asset for the threat analyzed. Then the products are summed to generate the SOL for the threat. Because the SOL does not depend on an estimate of the threat’s occurrence rate, it is particularly useful for evaluating rare but damaging threats. If a threat’s SOL estimate is unacceptably high, it is prudent risk management to take security actions to reduce the SOL to an acceptable level.

Both fatal losses and catastrophic losses are big and rare. Fatal losses involve loss of human life and catastrophic loss incurs great financial loss. In short, ALE is useful for addressing relatively frequent threats whereas SOL and fatal or catastrophic losses address rare threats.

Sources and References

“Directions in Security Metrics Research (NISTIR 7564),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, April 2009.