Management of Information Security

5th Edition Whitman Test Bank

Visit to download the full and correct content document: https://testbankdeal.com/dow
nload/management-of-information-security-5th-edition-whitman-test-bank/
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

1. Risks can be avoided by countering the threats facing an asset or by eliminating the exposure of an asset.
a. True
b. False
ANSWER: True

2. The defense risk control strategy may be accomplished by outsourcing to other organizations.
a. True
b. False
ANSWER: False

3. The criterion most commonly used when evaluating a strategy to implement InfoSec controls and safeguards is
economic feasibility.
a. True
b. False
ANSWER: True

4. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using
scales with value ranges.
a. True
b. False
ANSWER: True

5. The ISO 27005 Standard for InfoSec Risk Management includes a five-stage management methodology; among them
are risk treatment and risk communication.
a. True
b. False
ANSWER: True

6. The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of
additional controls and safeguards is the protect risk control strategy, also known as the avoidance strategy.
____________

ANSWER: False - defense

7. A benchmark is derived by comparing measured actual performance against established standards for the measured
category. ____________

ANSWER: False - baseline

8. The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack
through effective contingency planning and preparation is known as the mitigation risk control strategy. ____________
ANSWER: True

9. The risk control strategy that attempts to shift risk to other assets, other processes, or other organizations is known as
the defense risk control strategy. ___________

ANSWER: False - transference

Copyright Cengage Learning. Powered by Cognero. Page 1
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

10. An examination of how well a particular solution is supportable given the organization’s current technological
infrastructure and resources, which include hardware, software, networking, and personnel is known as
operational feasibility. ____________
ANSWER: False - technical

11. The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the
organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome
from any resulting exploitation is known as the termination risk control strategy.

ANSWER: False - acceptance

12. Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures
needed for a particular security control, contrasted with its projected value to the organization is known as cost–benefit
analysis (CBA). ____________
ANSWER: True

13. The risk control strategy that eliminates all risk associated with an information asset by removing it from service is
known as the termination risk control strategy.
ANSWER: True

14. Due care and due diligence occur when an organization adopts a certain minimum level of security—that is, what any
prudent organization would do in similar circumstances. ____________
ANSWER: True

15. In a cost–benefit analysis, the expected frequency of an attack, expressed on a per-year basis is known as
the annualized risk of occurrence. ____________
ANSWER: False - rate

16. Application of training and education is a common method of which risk control strategy?
a. mitigation b. defense
c. acceptance d. transferal
ANSWER: b

17. Which of the following describes an organization’s efforts to reduce damage caused by a realized incident or disaster?
a. acceptance b. avoidance
c. transference d. mitigation
ANSWER: d

18. Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the
mitigation control approach?
a. incident response plan b. business continuity plan
c. disaster recovery plan d. damage control plan
ANSWER: a

19. The only use of the acceptance strategy that is recognized as valid by industry practices occurs when the organization
has done all but which of the following?
a. Determined the level of risk posed to the information asset
Copyright Cengage Learning. Powered by Cognero. Page 2
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

b. Performed a thorough cost-benefit analysis

c. Determined that the costs to control the risk to an information asset are much lower than the benefit gained
from the information asset
d. Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability
ANSWER: c

20. Which of the following can be described as the quantity and nature of risk that organizations are willing to accept as
they evaluate the trade-offs between perfect security and unlimited accessibility?
a. residual risk b. risk appetite
c. risk assurance d. risk termination
ANSWER: b

21. Which of the following is NOT a valid rule of thumb on risk control strategy selection?
a. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being
exploited.
b. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative
controls to minimize the risk or prevent the occurrence of an attack.
c. When the attacker’s potential gain is less than the costs of attack: Apply protections to decrease the attacker’s
cost or reduce the attacker’s gain, by using technical or operational controls.
d. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-
technical protections to limit the extent of the attack, thereby reducing the potential for loss.
ANSWER: c

22. Which of the following affects the cost of a control?

a. liability insurance b. CBA report
c. asset resale d. maintenance
ANSWER: d

23. By multiplying the asset value by the exposure factor, you can calculate which of the following?
a. annualized cost of the safeguard b. single loss expectancy
c. value to adversaries d. annualized loss expectancy
ANSWER: b

24. What is the result of subtracting the post-control annualized loss expectancy and the ACS from the pre-control
annualized loss expectancy?
a. cost-benefit analysis b. exposure factor
c. single loss expectancy d. annualized rate of occurrence
ANSWER: a

25. Which of the following determines acceptable practices based on consensus and relationships among the communities
of interest.
a. organizational feasibility b. political feasibility
c. technical feasibility d. operational feasibility
ANSWER: b

26. The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them?
Copyright Cengage Learning. Powered by Cognero. Page 3
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

a. conducting decision support b. implementing controls

c. evaluating alternative strategies d. measuring program effectiveness
ANSWER: c

27. What does FAIR rely on to build the risk management framework that is unlike many other risk management
frameworks?
a. qualitative assessment of many risk components b. quantitative valuation of safeguards
c. subjective prioritization of controls d. risk analysis estimates
ANSWER: a

28. In which technique does a group rate or rank a set of information, compile the results and repeat until everyone is
satisfied with the result?
a. OCTAVE b. FAIR
c. Hybrid Measures d. Delphi
ANSWER: d

29. Once a control strategy has been selected and implemented, what should be done on an ongoing basis to determine
their effectiveness and to estimate the remaining risk?
a. analysis and adjustment b. review and reapplication
c. monitoring and measurement d. evaluation and funding
ANSWER: c

30. Which of the following is not a step in the FAIR risk management framework?
a. identify scenario components b. evaluate loss event frequency
c. assess control impact d. derive and articulate risk
ANSWER: c

31. What should each information asset–threat pair have at a minimum that clearly identifies any residual risk that remains
after the proposed strategy has been executed?
a. probability calculation b. documented control strategy
c. risk acceptance plan d. mitigation plan
ANSWER: b

32. Which of the following describes the financial savings from using the defense risk control strategy to implement a
control and eliminate the financial ramifications of an incident?
a. feasibility analysis b. asset valuation
c. cost avoidance d. cost-benefit analysis
ANSWER: c

33. Which of the following is NOT an alternative to using CBA to justify risk controls?
a. benchmarking b. due care and due diligence
c. selective risk avoidance d. the gold standard
ANSWER: c

34. The ISO 27005 Standard for Information Security Risk Management includes five stages including all but which of
the following?
Copyright Cengage Learning. Powered by Cognero. Page 4
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

a. risk assessment b. risk treatment

c. risk communication d. risk determination
ANSWER: d

35. The NIST risk management approach includes all but which of the following elements?
a. inform b. assess
c. frame d. respond
ANSWER: a

36. The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans
is ____________________ .
ANSWER: mitigation
mitigate

37. The ____________________ risk control strategy attempts to shift the risk to other assets, processes, or
organizations.
ANSWER: transference
transfer

38. To keep up with the competition organizations must design and create a ____________ environment in which
business processes and procedures can function and evolve effectively.
ANSWER:
secure

39. The goal of InfoSec is not to bring residual risk to zero; rather, it is to bring residual risk in line with an organization’s
risk ___________.
ANSWER: appetite

40. When a vulnerability (flaw or weakness) exists in an important asset, implement security controls to reduce the
likelihood of a vulnerability being ___________.
ANSWER: exploited

41. Briefly describe the five basic strategies to control risk that result from vulnerabilities.
ANSWER:
Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk
Transference—Shifting risks to other areas or to outside entities
Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability
Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly
acknowledging the risk that remains without an attempt at control
Termination—Removing or discontinuing the information asset from the organization’s operating
environment

42. Discuss three alternatives to feasibility analysis.

ANSWER: --Benchmarking is the process of seeking out and studying the practices used in other organizations that
produce the results you desire in your organization. When benchmarking, an organization typically uses either
metrics-based or process-based measures.
--Due care and due diligence occur when an organization adopts a certain minimum level of security as what
Copyright Cengage Learning. Powered by Cognero. Page 5
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

any prudent organization would do in similar circumstances.

--Best business practices are considered those thought to be among the best in the industry, balancing the need
to access information with adequate protection.
--The gold standard is for those ambitious organizations in which the best business practices are not sufficient.
They aspire to set the standard for their industry, and are thus said to be in pursuit of the gold standard.
--Government recommendations and best practices are useful for organizations that operate in industries
regulated by governmental agencies. Government recommendations, which are, in effect, requirements, can
also serve as excellent sources for information about what some organizations may be doing, or are required to
do, to control information security risks.
--A baseline is derived by comparing measured actual performance against established standards for the
measured category.

43. Explain two practical guidelines to follow in risk control strategy selection.
ANSWER: - When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the likelihood of a
vulnerability being exercised.
- When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative
controls to minimize the risk or prevent the occurrence of an attack.
- When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the
attacker’s cost, or reduce the attacker’s gain, by using technical or managerial controls.
- When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-
technical protections to limit the extent of the attack, thereby reducing the potential for loss.

44. Once an organization has estimated the worth of various assets, what three questions must be asked to calculate the
potential loss from the successful exploitation of a vulnerability?
ANSWER: What damage could occur, and what financial impact would it have?
What would it cost to recover from the attack, in addition to the financial impact of damage?
What is the single loss expectancy for each risk?

45. What does the result of a CBA determine? What is the formula for the CBA?
ANSWER: The CBA determines whether the benefit from a control alternative is worth the associated
cost of implementing and maintaining the control.
The formula for calculating the CBA is:
CBA = ALE (precontrol) - ALE (postcontrol) - ACS
where
ALE (precontrol) = ALE of the risk before the implementation of the control
ALE (postcontrol) = ALE examined after the control has been in place for a period of time
ACS = annual cost of the safeguard

46. Describe operational feasibility.

ANSWER: Operational feasibility refers to user acceptance and support, management acceptance and support, and the
system’s compatibility with the requirements of the organization’s stakeholders. Operational feasibility is also
known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on
projects. If the users do not accept a new technology, policy, or program, it will inevitably fail.

47. Describe the use of hybrid assessment to create a quantitative assessment of asset value.
ANSWER: The hybrid assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the
unsubstantiated estimation used for quantitative measures. Hybrid assessment uses scales rather than specific
estimates. For example, a scale might range from 0, representing no chance of occurrence, to 10, representing
almost certain occurrence.

48. What is the OCTAVE method approach to risk management?

Copyright Cengage Learning. Powered by Cognero. Page 6
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

ANSWER: The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method, is an InfoSec risk
evaluation methodology that allows organizations to balance the protection of critical information assets
against the costs of providing protective and detection controls. This process can enable an organization to
measure itself against known or accepted good security practices and then establish an organization-wide
protection strategy and InfoSec risk mitigation plan.

49. What are the four phases of the Microsoft risk management strategy?
ANSWER: 1. Assessing risk
2. Conducting decision support
3. Implementing controls
4. Measuring program effectiveness

50. What are the four stages of a basic FAIR analysis?

ANSWER: Stage 1—Identify Scenario Components
Stage 2—Evaluate Loss Event Frequency (LEF)
Stage 3—Evaluate Probable Loss Magnitude (PLM)
Stage 4—Derive and Articulate Risk

a. defense risk control strategy

b. mitigation risk control strategy
c. acceptance risk control strategy
d. termination risk control strategy
e. risk appetite
f. cost-benefit analysis
g. cost avoidance
h. asset valuation
i. organizational feasibility
j. single loss expectancy

51. The formal assessment and presentation of the economic expenditures needed for a particular security control,
contrasted with its projected value to the organization.
ANSWER: f

52. A risk control strategy that indicates the organization is willing to accept the current level of risk and that the
organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome
from any resulting exploitation.
ANSWER: c

53. A risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of
additional controls and safeguards.
ANSWER: a

54. A process of assigning financial value or worth to each information asset.

ANSWER: h

55. The quantity and nature of risk that organizations are willing to accept.
ANSWER: e
Copyright Cengage Learning. Powered by Cognero. Page 7
Name: Class: Date:

Chapter 07 - Risk Management: Controlling Risk

56. An examination of how well a particular solution fits within the organization’s strategic planning objectives and goals.
ANSWER: i

57. A risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack
through effective contingency planning and preparation.
ANSWER: b

58. The calculated value associated with the most likely loss from a single attack.
ANSWER: j

59. The financial savings from using the defense risk control strategy to implement a control and eliminate the financial
ramifications of an incident.
ANSWER: g

60. A risk control strategy that eliminates all risk associated with an information asset by removing it from service.
ANSWER: d

Copyright Cengage Learning. Powered by Cognero. Page 8