By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Risk is the probability or likelihood that a threat will exploit a vulnerability and cause a loss. It is sometimes represented in the formula of Risk = Threat × Vulnerability. A threat is any activity that can be a possible danger and threat events include any type of activity or event that can result in a loss of confidentiality, integrity, or availability of an organization’s assets. A vulnerability is a weakness, and a loss represents a negative event for an organization. Organizations attempt to identify potential threat sources and threat events. They then attempt to identify vulnerabilities that threats can exploit, and assess the potential impact of a threat exposing a vulnerability. NIST publishes several documents related to IT security. Some documents related to risk mentioned in this chapter are SP 800-30 (Guide for Conducting Risk Assessments), SP 800-61 (Computer Security Incident Handling Guide), SP 800-150 (Guide to Cyber Threat Information Sharing), and SP 800-154 (Guide to Data-Centric System Threat Modeling). Risk management (sometimes referred to as risk treatment) includes several elements used to reduce risk to a manageable level. This includes methods to mitigate (or reduce) risks, avoid risks, share or transfer risk, accept risk, and recast risk. Residual risk is the risk that remains after mitigating risks. Senior management is responsible for any losses resulting from risk they choose to accept, including residual risk. One of the first steps in risk management is to identify assets. Once an organization identifies the assets that it considers valuable, it then takes steps to protect them. An organization addresses high risks by implementing security controls. Security controls typically attempt to reduce vulnerabilities or reduce the impact of a risk. However, if the valuable assets haven’t been identified, it’s possible that they won’t be protected and that resources will be expended to protect less valuable assets. The Common Vulnerability Scoring System (CVSS) is an open standard that organizations can use to assess the severity of computer system security vulnerabilities. It has several precomputed formulas that security personnel can use to determine a risk score. Security personnel evaluate their system and assign metric values to the variables in the precomputed formulas. A risk management framework provides a structured process that personnel can use to manage risk. NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, includes the steps for one framework. ISO 31000, Risk Management – Guidelines, provides a slightly different framework. A risk assessment is a point-in-time evaluation. It examines a system to identify threats and vulnerabilities, based on the current security controls. It then attempts to evaluate the likelihood of a threat exploiting a vulnerability and the impact, or magnitude of harm, from this event. Identifying the likelihood and the impact helps to determine the level of risk. Risk management processes address high risks. Threat modeling is a type of risk assessment that attempts to predict an attack. Risk assessments commonly use either a quantitative analysis or a qualitative analysis. A quantitative analysis uses numerical figures to calculate risk. The single loss expectancy (SLE) identifies the loss from a single event. Annual rate of occurrence (ARO) indicates how many times you expect the event to occur. Annual loss expectancy (ALE) provides the total expected loss for a year and is calculated as SLE × ARO. This is useful to evaluate the value of a control. If the cost of the control is less than the ALE, it is justified. If it is significantly higher than the ALE, it is not justified. If the cost of the control and the ALE are relatively close, they must be evaluated to determine a long-term return on investment (ROI). Many organizations designate a computer incident response team (CIRT or IRT) to respond to incidents. It’s important to know the concepts related to incident response. The SSCP exam outline lists the phases of the incident response lifecycle as (1) preparation; (2) detection, analysis, and escalation; (3) containment; (4) eradication; (5) recovery; and (6) lessons learned/implementation of new countermeasures.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.