Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 9: Risk Management: Controlling Risk

Full screen (f)
exit full mode
Question
Asset valuation does NOT have to consider the value of information to adversaries or loss of revenue while information assets are unavailable.
Use Space or
up arrow
down arrow
to flip the card.
Question
Communicating new or revised policy to employees is adequate to assure compliance.
Question
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
Question
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack._________________________
Question
According to the Microsoft Risk Management Approach,risk management is not a stand-alone subject and should be part of a general governance program to allow the organization's management to evaluate the organization's operations and make better,more informed decisions.
Question
Organizations can establish a competitive business model,method,or technique allowing it to provide a product or service that is superior in some way creating competitive disadvantage._________________________
Question
Risks can be avoided by countering the threats that an asset faces.
Question
Corporations that previously used IT systems to gain a competitive advantage now are faced with competitive disadvantage if they fail to keep up with changes in technology.
Question
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
Question
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
Question
Common sense dictates that an organization should spend more to protect an asset than its value.
Question
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
Question
A system's exploitable vulnerabilities are usually determined after the system is designed.
Question
Avoidance of risk is accomplished through the application of procedures,training and education and the implementation of technical security controls and safeguards._________________________
Question
In Risk Management is asset valuation,as it is relatively easy to determine accurately the true value of information and information-bearing assets.
Question
The goal of information security is to bring residual risk to zero.
Question
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
Question
Residual risk is also known as risk tolerance and is the amount of risk organizations are willing to accept after all reasonable controls have been implemented.
Question
Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges,for example very high to very low.
Question
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks._________________________
Question
Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach?

A) Incident response plan
B) Business continuity plan
C) Disaster recovery plan
D) Damage control plan
Question
Behavioral feasibility refers to user acceptance and support,management acceptance and support,and the system's compatibility with the requirements of the organization's stakeholders._________________________
Question
Risk appetite (also known as risk tolerance)is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility._________________________
Question
Which of the following is not an example of a disaster recovery plan?

A) Data recovery procedures
B) Reestablishment of lost service procedures
C) Information gathering procedures
D) Shut down procedures
Question
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.

A) avoidance
B) mitigation
C) transference
D) acceptance
Question
The goal of information security is to bring residual risk in line with an organization's risk appetite._________________________
Question
When the attacker's potential gain is greater than the costs of attack,you should apply protections to increase the attacker's cost or reduce the attacker's gain,by using technical or managerial controls._________________________
Question
Mitigation depends on the ability to detect and respond to an attack as quickly as possible ._________________________
Question
Application of training and education is a technique of the ____ control strategy.

A) mitigation
B) avoidance
C) acceptance
D) transference
Question
The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?

A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the particular function, service, information, or asset did justify the cost of additional protection
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
Question
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard._________________________
Question
An alternate set of possible risk control strategies includes all but which of the following?

A) Self-protection: Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability
B) Self-insurance: Understanding the consequences and accepting the risk without control or mitigation
C) Avoidance: Avoiding certain activities because the risk is too great compared to the benefits
D) Obscurity: Hiding critical security assets in order to protect them from attack
Question
Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.

A) acceptance
B) mitigation
C) transference
D) avoidance
Question
Asset evaluation is the process of assigning financial worth to each information asset._________________________
Question
When a vulnerability (flaw or weakness)exists,you should implement security policies to reduce the likelihood of a vulnerability being exercised._________________________
Question
Which of the following describes an organization's efforts to reduce damage caused by the exploitation of vulnerability?

A) Acceptance
B) Avoidance
C) Transference
D) Mitigation
Question
Which of the following plans would not be a considered a mitigation control approach?

A) Incident response plan
B) Acceptance plan
C) Disaster recovery plan
D) Business continuity plan
Question
The original OCTAVE method,which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users,while OCTAVE-Allegro was designed for smaller organizations of about 100 users._________________________
Question
The Microsoft Risk Management Approach includes four phases: assessing risk,conducting decision support,implementing controls and measuring program effectiveness._________________________
Question
When you establish one control,you increase the risk associated with all subsequent control evaluations._________________________
Question
____ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.

A) Organizational
B) Political
C) Technical
D) Operational
Question
____ feasibility evaluates how proposed information security alternatives will contribute to the efficiency,effectiveness,and overall operation of an organization.

A) Operational
B) Organizational
C) Technical
D) Political
Question
Asset valuation must account for value _____.

A) from providing the information
B) acquired from the cost of protecting the asset
C) of intellectual property
D) All of these
Question
Which of the following is NOT an alternative to cost-benefit analyses?

A) Benchmarking
B) Due care/due diligence
C) Baselining
D) ISO 17799 based controls
Question
The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?

A) Assessing risk
B) Implementing controls
C) Building executive consensus
D) Measuring program effectiveness
Question
The ____ is the indication of how often you expect a specific type of attack to occur.

A) SLE
B) ALE
C) CBA
D) ARO
Question
Which of the following is NOT among the items that affect the cost of a control?

A) Training fees
B) Service costs
C) Asset resell costs
D) Maintenance costs
Question
Unlike other risk management frameworks,FAIR relies on the ____ assessment of many risk components using scales with value ranges,for example very high to very low.

A) qualitative
B) quantitative
C) risk
D) calculated
Question
____ feasibility examines whether the organization has access to the technology necessary to manage control alternatives.

A) Political
B) Operational
C) Technical
D) Organizational
Question
The four categories of controlling risk include avoidance,mitigation,transference and _____.

A) inference
B) investigation
C) deterrence
D) acceptance
Question
A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Question
____ feasibility is also referred to as behavioral feasibility.

A) Operational
B) Organizational
C) Political
D) Technical
Question
In a cost-benefit analysis,the ____ is the value to the organization of using controls to prevent losses associated with a specific vulnerability.

A) cost
B) benefit
C) loss expectancy
D) asset value
Question
Management consultants Tom Peters and Robert Waterman assert that one of the eight characteristics of excellent organizations is that they "stick to their knitting",which means ____.

A) branching into the textile industry
B) staying reasonably close to the business they know
C) they outsource their information security functions
D) they must hire other organizations to perform all electronic commerce services
Question
The ____ is the calculation of the value associated with the most likely loss from an attack.

A) SLE
B) ALE
C) CBA
D) ARO
Question
____ is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

A) Residual risk
B) Risk appetite
C) Risk assurance
D) Risk management
Question
____ is the process of assigning financial value or worth to each information component.

A) Asset valuation
B) Cost-benefit analysis
C) Auditing
D) Accountability
Question
The annualized loss expectancy equals the single loss expectancy times ____.

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Question
A single loss expectancy is calculated by multiplying the asset value by the ____.

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Question
Which of the following is NOT a valid rule of thumb on risk control strategy selection?

A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or negate the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
Question
Some information assets acquire value over time that is beyond their ____ value-the essential worth-of the asset.This higher acquired value is the more appropriate value in most cases.

A) extrinsic
B) intrinsic
C) evaluated
D) estimated
Question
____ is the choice to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

A) Avoidance
B) Acceptance
C) Mitigation
D) Risk tolerance
Question
Select the list of mitigation strategies in terms of timeframe from most immediate to longest-term:

A) CBA - SLE - ARO
B) CBA - ALE - SLE
C) IR - DR - BC
D) IR - BC - DR
Question
At a minimum,each information asset-threat pair should have a(n)____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.

A) risk management plan
B) documented control strategy
C) asset valuation
D) cost-benefit analysis
Question
A more granular approach to asset valuation,the ____ assessment,tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures,and uses scales rather than specific estimates.

A) Delphi
B) hybrid
C) cost-benefit analysis
D) qualitative
Question
In the Cost-Benefit Analysis Formula presented in the text,ACS stands for ____.

A) actual cost of security
B) annualized cost of security
C) alternate control strategy
D) annualized cost of the safeguard
Question
The Annualized Loss Expectancy in the CBA formula is determined as ____.

A) ALE * ARO
B) SLE * ARO
C) ACS - SLE(post)
D) AV * EF
Question
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n)_____,which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.

A) risk management plan
B) control strategy
C) cost-benefit analysis
D) action plan
Question
The ____ technique,named for the Greek mythological oracle which predicted the future is a process whereby a group rates or ranks a set of information.

A) Euripides
B) Artemis
C) Aesop
D) Delphi
Question
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.

A) hybrid
B) modern
C) prudent
D) benchmarking
Question
In the Cost-Benefit Analysis Formula presented in the text,ALE is calculated by ____.

A) SLE * ARO
B) SLE * ACS
C) SLE(prior) - SLE(post)
D) asset value times exposure factor
Question
____ is the money saved by avoiding,via the implementation of a control,the financial ramifications of an incident.

A) Cost - Benefit Analysis
B) Cost avoidance
C) Economic feasibility
D) Financial acceptance
Question
Residual risk is a combined function of all but which of the following?

A) A threat less the effect of threat-reducing safeguards
B) A vulnerability less the effect of vulnerability-reducing safeguards
C) An asset less the effect of asset value-reducing safeguards
D) Residual risk less a factor of error
Question
____ is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk,and how much risk exists for the asset.

A) Risk
B) Asset value
C) Cost
D) Benefit
Question
If,during a risk-handling evaluation,the organization determines that there is a valid threat source and the system is vulnerable to attack then ____.

A) risk of loss exists
B) risk can be accepted
C) the system is exploitable
D) unacceptable risk must be controlled
Question
One of the most common methods of obtaining user acceptance and support is via ____.

A) cost-benefit analysis
B) user involvement
C) user acceptance
D) behavioral feasibility
Question
Once a control strategy has been selected and implemented,controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.

A) budgeted
B) updated
C) monitored and measured
D) evaluated and funded
Question
Before deciding on the risk control strategy for a specific vulnerability,an organization must explore all readily accessible information about the ____ consequences of the vulnerability.

A) cost avoidance
B) risk
C) economic and non-economic
D) feasibility
Question
If the organization has information assets totaling 1 million dollars,how much should the organization spend to protect them?

A) $10,000
B) $100,000
C) 1 million dollars
D) an appropriate amount determined through an effective cost-benefit analysis
Question
ISO ____ is the ISO standard for the performance of risk management,and includes a five-stage risk management methodology.

A) 27001
B) 27002
C) 27004
D) 27005
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/105
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 9: Risk Management: Controlling Risk
1
Asset valuation does NOT have to consider the value of information to adversaries or loss of revenue while information assets are unavailable.
False
2
Communicating new or revised policy to employees is adequate to assure compliance.
False
3
Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected.
False
4
Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
5
According to the Microsoft Risk Management Approach,risk management is not a stand-alone subject and should be part of a general governance program to allow the organization's management to evaluate the organization's operations and make better,more informed decisions.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
6
Organizations can establish a competitive business model,method,or technique allowing it to provide a product or service that is superior in some way creating competitive disadvantage._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
7
Risks can be avoided by countering the threats that an asset faces.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
8
Corporations that previously used IT systems to gain a competitive advantage now are faced with competitive disadvantage if they fail to keep up with changes in technology.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
9
The final choice of a risk control strategy may call for a balanced mixture of controls that provides the greatest value for as many asset-threat pairs as possible.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
10
Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
11
Common sense dictates that an organization should spend more to protect an asset than its value.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
12
OCTAVE is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
13
A system's exploitable vulnerabilities are usually determined after the system is designed.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
14
Avoidance of risk is accomplished through the application of procedures,training and education and the implementation of technical security controls and safeguards._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
15
In Risk Management is asset valuation,as it is relatively easy to determine accurately the true value of information and information-bearing assets.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
16
The goal of information security is to bring residual risk to zero.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
17
The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss..
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
18
Residual risk is also known as risk tolerance and is the amount of risk organizations are willing to accept after all reasonable controls have been implemented.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
19
Unlike other risk management frameworks,FAIR relies on the qualitative assessment of many risk components using scales with value ranges,for example very high to very low.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
20
Mitigation of risk involves applying safeguards that eliminate or reduce the remaining uncontrolled risks._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
21
Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach?

A) Incident response plan
B) Business continuity plan
C) Disaster recovery plan
D) Damage control plan
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
22
Behavioral feasibility refers to user acceptance and support,management acceptance and support,and the system's compatibility with the requirements of the organization's stakeholders._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
23
Risk appetite (also known as risk tolerance)is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
24
Which of the following is not an example of a disaster recovery plan?

A) Data recovery procedures
B) Reestablishment of lost service procedures
C) Information gathering procedures
D) Shut down procedures
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
25
An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach.

A) avoidance
B) mitigation
C) transference
D) acceptance
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
26
The goal of information security is to bring residual risk in line with an organization's risk appetite._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
27
When the attacker's potential gain is greater than the costs of attack,you should apply protections to increase the attacker's cost or reduce the attacker's gain,by using technical or managerial controls._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
28
Mitigation depends on the ability to detect and respond to an attack as quickly as possible ._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
29
Application of training and education is a technique of the ____ control strategy.

A) mitigation
B) avoidance
C) acceptance
D) transference
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
30
The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following?

A) Determined the level of risk posed to the information asset
B) Performed a thorough cost-benefit analysis
C) Determined that the particular function, service, information, or asset did justify the cost of additional protection
D) Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
31
Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
32
An alternate set of possible risk control strategies includes all but which of the following?

A) Self-protection: Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability
B) Self-insurance: Understanding the consequences and accepting the risk without control or mitigation
C) Avoidance: Avoiding certain activities because the risk is too great compared to the benefits
D) Obscurity: Hiding critical security assets in order to protect them from attack
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
33
Reducing the impact of a successful attack on an organization's system falls under the ____ risk control strategy.

A) acceptance
B) mitigation
C) transference
D) avoidance
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
34
Asset evaluation is the process of assigning financial worth to each information asset._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
35
When a vulnerability (flaw or weakness)exists,you should implement security policies to reduce the likelihood of a vulnerability being exercised._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
36
Which of the following describes an organization's efforts to reduce damage caused by the exploitation of vulnerability?

A) Acceptance
B) Avoidance
C) Transference
D) Mitigation
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
37
Which of the following plans would not be a considered a mitigation control approach?

A) Incident response plan
B) Acceptance plan
C) Disaster recovery plan
D) Business continuity plan
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
38
The original OCTAVE method,which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users,while OCTAVE-Allegro was designed for smaller organizations of about 100 users._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
39
The Microsoft Risk Management Approach includes four phases: assessing risk,conducting decision support,implementing controls and measuring program effectiveness._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
40
When you establish one control,you increase the risk associated with all subsequent control evaluations._________________________
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
41
____ feasibility determines acceptable practices based on consensus and relationships among the communities of interest.

A) Organizational
B) Political
C) Technical
D) Operational
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
42
____ feasibility evaluates how proposed information security alternatives will contribute to the efficiency,effectiveness,and overall operation of an organization.

A) Operational
B) Organizational
C) Technical
D) Political
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
43
Asset valuation must account for value _____.

A) from providing the information
B) acquired from the cost of protecting the asset
C) of intellectual property
D) All of these
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
44
Which of the following is NOT an alternative to cost-benefit analyses?

A) Benchmarking
B) Due care/due diligence
C) Baselining
D) ISO 17799 based controls
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
45
The Microsoft Risk Management Approach includes four phases.Which of the following is NOT one of them?

A) Assessing risk
B) Implementing controls
C) Building executive consensus
D) Measuring program effectiveness
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
46
The ____ is the indication of how often you expect a specific type of attack to occur.

A) SLE
B) ALE
C) CBA
D) ARO
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
47
Which of the following is NOT among the items that affect the cost of a control?

A) Training fees
B) Service costs
C) Asset resell costs
D) Maintenance costs
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
48
Unlike other risk management frameworks,FAIR relies on the ____ assessment of many risk components using scales with value ranges,for example very high to very low.

A) qualitative
B) quantitative
C) risk
D) calculated
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
49
____ feasibility examines whether the organization has access to the technology necessary to manage control alternatives.

A) Political
B) Operational
C) Technical
D) Organizational
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
50
The four categories of controlling risk include avoidance,mitigation,transference and _____.

A) inference
B) investigation
C) deterrence
D) acceptance
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
51
A cost-benefit analysis is calculated by subtracting the post-control annualized loss expectancy and the ____ from the pre-control loss expectancy

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
52
____ feasibility is also referred to as behavioral feasibility.

A) Operational
B) Organizational
C) Political
D) Technical
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
53
In a cost-benefit analysis,the ____ is the value to the organization of using controls to prevent losses associated with a specific vulnerability.

A) cost
B) benefit
C) loss expectancy
D) asset value
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
54
Management consultants Tom Peters and Robert Waterman assert that one of the eight characteristics of excellent organizations is that they "stick to their knitting",which means ____.

A) branching into the textile industry
B) staying reasonably close to the business they know
C) they outsource their information security functions
D) they must hire other organizations to perform all electronic commerce services
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
55
The ____ is the calculation of the value associated with the most likely loss from an attack.

A) SLE
B) ALE
C) CBA
D) ARO
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
56
____ is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

A) Residual risk
B) Risk appetite
C) Risk assurance
D) Risk management
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
57
____ is the process of assigning financial value or worth to each information component.

A) Asset valuation
B) Cost-benefit analysis
C) Auditing
D) Accountability
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
58
The annualized loss expectancy equals the single loss expectancy times ____.

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
59
A single loss expectancy is calculated by multiplying the asset value by the ____.

A) annualized cost of the safeguard
B) exposure factor
C) annualized rate of occurrence
D) asset value
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
60
Which of the following is NOT a valid rule of thumb on risk control strategy selection?

A) When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.
B) When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack.
C) When the attacker's potential gain is less than the costs of attack: Apply protections to decrease the attacker's cost or negate the attacker's gain, by using technical or operational controls.
D) When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss.
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
61
Some information assets acquire value over time that is beyond their ____ value-the essential worth-of the asset.This higher acquired value is the more appropriate value in most cases.

A) extrinsic
B) intrinsic
C) evaluated
D) estimated
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
62
____ is the choice to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.

A) Avoidance
B) Acceptance
C) Mitigation
D) Risk tolerance
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
63
Select the list of mitigation strategies in terms of timeframe from most immediate to longest-term:

A) CBA - SLE - ARO
B) CBA - ALE - SLE
C) IR - DR - BC
D) IR - BC - DR
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
64
At a minimum,each information asset-threat pair should have a(n)____ that clearly identifies any residual risk that remains after the proposed strategy has been executed.

A) risk management plan
B) documented control strategy
C) asset valuation
D) cost-benefit analysis
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
65
A more granular approach to asset valuation,the ____ assessment,tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures,and uses scales rather than specific estimates.

A) Delphi
B) hybrid
C) cost-benefit analysis
D) qualitative
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
66
In the Cost-Benefit Analysis Formula presented in the text,ACS stands for ____.

A) actual cost of security
B) annualized cost of security
C) alternate control strategy
D) annualized cost of the safeguard
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
67
The Annualized Loss Expectancy in the CBA formula is determined as ____.

A) ALE * ARO
B) SLE * ARO
C) ACS - SLE(post)
D) AV * EF
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
68
Some organizations document the outcome of the control strategy for each information asset-threat pair in a(n)_____,which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual.

A) risk management plan
B) control strategy
C) cost-benefit analysis
D) action plan
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
69
The ____ technique,named for the Greek mythological oracle which predicted the future is a process whereby a group rates or ranks a set of information.

A) Euripides
B) Artemis
C) Aesop
D) Delphi
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
70
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any ____ organization would do in similar circumstances.

A) hybrid
B) modern
C) prudent
D) benchmarking
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
71
In the Cost-Benefit Analysis Formula presented in the text,ALE is calculated by ____.

A) SLE * ARO
B) SLE * ACS
C) SLE(prior) - SLE(post)
D) asset value times exposure factor
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
72
____ is the money saved by avoiding,via the implementation of a control,the financial ramifications of an incident.

A) Cost - Benefit Analysis
B) Cost avoidance
C) Economic feasibility
D) Financial acceptance
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
73
Residual risk is a combined function of all but which of the following?

A) A threat less the effect of threat-reducing safeguards
B) A vulnerability less the effect of vulnerability-reducing safeguards
C) An asset less the effect of asset value-reducing safeguards
D) Residual risk less a factor of error
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
74
____ is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk,and how much risk exists for the asset.

A) Risk
B) Asset value
C) Cost
D) Benefit
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
75
If,during a risk-handling evaluation,the organization determines that there is a valid threat source and the system is vulnerable to attack then ____.

A) risk of loss exists
B) risk can be accepted
C) the system is exploitable
D) unacceptable risk must be controlled
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
76
One of the most common methods of obtaining user acceptance and support is via ____.

A) cost-benefit analysis
B) user involvement
C) user acceptance
D) behavioral feasibility
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
77
Once a control strategy has been selected and implemented,controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk.

A) budgeted
B) updated
C) monitored and measured
D) evaluated and funded
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
78
Before deciding on the risk control strategy for a specific vulnerability,an organization must explore all readily accessible information about the ____ consequences of the vulnerability.

A) cost avoidance
B) risk
C) economic and non-economic
D) feasibility
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
79
If the organization has information assets totaling 1 million dollars,how much should the organization spend to protect them?

A) $10,000
B) $100,000
C) 1 million dollars
D) an appropriate amount determined through an effective cost-benefit analysis
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
80
ISO ____ is the ISO standard for the performance of risk management,and includes a five-stage risk management methodology.

A) 27001
B) 27002
C) 27004
D) 27005
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 105 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree