Risk assessments are used to identify and quantify risks. They do this by identifying threats and vulnerabilities and then applying an assessment methodology to prioritize the risks. Once the risks are quantified, controls and safeguards can be identified. A risk assessment can also be used to identify the best controls to implement.
The two primary risk assessment methods are quantitative and qualitative. A quantitative risk assessment is used when historical data is readily available. This data can be used to derive the ALE from SLE and ARO: ALE = SLE × ARO. A qualitative risk assessment uses the opinions of experts. It doesn’t have predefined formulas but instead requires that a scale be created, such as low, medium, and high. The quantitative risk assessment provides a CBA. The qualitative risk assessment, on the other hand, can be accomplished in a shorter period of time.
_______ describes the loss that will happen to the asset as a result of the threat, which is expressed as a percentage value.
Risk assessments are a static process.
True
False
A _______ risk assessment uses SLE.
What elements are included in a qualitative analysis?
SLE, ALE, and ARO
ALE, ARO, and ARP
Probability and impact
Threats and vulnerabilities
What elements are included in a quantitative analysis?
SLE, ALE, and ARO
ALE, ARO, and ARP
Probability and impact
Threats and vulnerabilities
Qualitative analysis is less time consuming than quantitative analysis.
True
False
A primary benefit of a _______ risk assessment is that it can be completed more quickly than other methods.
A primary benefit of a _______ risk assessment is that it includes details for a cost-benefit analysis.
What must be defined when performing a qualitative risk assessment?
Formulas used for ALE
Scales used to define probability and impact
Scales used to define SLE and ALE
Acceptable levels of risk
A _______ risk assessment is objective. It uses data that can be verified.
A _______ risk assessment is subjective. It relies on the opinions of experts.
One of the challenges facing risk assessments is getting accurate data. What can be included in the risk assessment report to give an indication of the reliability of the data?
Probability statement
Accuracy scale
Validity level
Uncertainty level
An IT security team leader is working on a qualitative risk assessment for her company. She is thinking about the final report. What should the IT security team leader consider when providing the results and recommendations? (Select two.)
Resource allocation
Risk acceptance
SLE and ARO
SLE and ALE
Of the following, what would be considered a best practice when performing risk assessments?