Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

QUESTION 1 According to McGraw, which of the following are correct? a. Risk mana

ID: 3729677 • Letter: Q

Question

QUESTION 1

According to McGraw, which of the following are correct?

a.

Risk management refers to the activity of performing a number of discreet risk analysis exercises, tracking risks throughout development, and strategically mitigating risks

b.

Risk analysis is a natural way to tie technology issues and concerns to the business

c.

Risk analysis refers to the activity of identifying and ranking risks at some particular stage in the software development lifecycle.

d.

Risk management refers to the activity of identifying and ranking risks at some particular stage in the software development lifecycle.

QUESTION 2

To conduct risk analysis, one must learn as much as possible about the target of analysis.

True

False

QUESTION 3

Which of the following is (are) true:

a.

Risk is the probability that an asset will suffer an event of a given negative impact

b.

a security risk is high if the attacker motivation is high

c.

a risk is equivalent to a vulnerability in a system

d.

Risk = probability x impact

QUESTION 4

According to Mcgraw, a threat is

a.

the actor or agent who is the source of danger

b.

a risk

c.

a vulnerability

d.

a bug in the program

QUESTION 5

Countermeasures for security include:

a.

management controls

b.

operational controls

c.

technical controls

d.

None of above.

QUESTION 6

Why is Why is a forest-level overview of the target system necessary for design-level risk analysis?

a.

It helps everyone involved in the project to understand what’s going on.  

b.

It descIt describes the interaction of various critical components in a design.

c.

It allos It allows analysts to understand low level design details

d.

It alloI It allows one to see the big picture of the system.

QUESTION 7

Why should you be careful when you use ROSI (return on security investment) to determine whether a given countermeasure is cost-effective?

a.

security is more like insurance than it is like some kind of investment.

b.

investment on security will always increase the company’s profits

c.

ROSI does not always hit a “big payoff”

d.

None of above.

QUESTION 8

Software risk analysis should be examined on a component-by-component, tier-by-tier, environment-by-environment level and apply the principles of measuring threats, risks, vulnerabilities, and impacts at all of these levels.

True

False

QUESTION 9

Match the following methods with their explanation:

      -       A.       B.       C.   

SecureUML

      -       A.       B.       C.   

UMLsec

      -       A.       B.       C.   

Sindre and Opdahl

A.

A methodology for modeling access control policies and their integration into a model-driven software development process.

B.

An extension of UML to include modeling of security-related features, such as confidentiality and access control

C.

Model abuse cases as a way of understanding how an application might respond to threats and to describe functions that the system should not allow

QUESTION 10

Match the following business impacts of risks to the three broad categories: (1) legal and/or regulatory risk; (2) Financial or commercial considerations; (3) Contractual considerations

      -       A.       B.       C.   

federal or state laws and regulations compliance

      -       A.       B.       C.   

preservation of brand and reputation

      -       A.       B.       C.   

avoidance of liability

A.

Legal and/or regulatory risk

B.

Financial or commercial considerations

C.

Contractual considerations

QUESTION 11

Security Requirements process should not be driven by risk.

True

False

Risk analysis involves

a.

discussing security issues surrounding the software

b.

ranking risks

c.

producing software requirement and design

d.

developing a mitigation strategy

e.

determining probability of compromise

f.

performing impact analysis

QUESTION 13

Which of the following requirements should be classed into “must-haves” category?

the controls that are needed based on probability and impact.

the controls that are not required for the system but they would be a great addition if added.

the required controls according to the laws and regulations that have been set forth.

all of the above

QUESTION 14

Match the following steps of the touchpoint process of “architectural risk analysis” with their explanations:

      -       A.       B.       C.   

Attack resistance analysis

      -       A.       B.       C.   

Ambiguity analysis

      -       A.       B.       C.   

Weakness analysis

A.

capture the checklist-like approach to risk analysis taken in Microsoft's STRIDE approach.

B.

It takes advantage of the multiple points of view of experienced analysts to uncover ambiguity and inconsistency, identify downstream difficulty, and unravel convolution.

C.

understands the impact of external software dependencies and uncover weaknesses that arise by counting on outside software.


a.

Risk management refers to the activity of performing a number of discreet risk analysis exercises, tracking risks throughout development, and strategically mitigating risks

b.

Risk analysis is a natural way to tie technology issues and concerns to the business

c.

Risk analysis refers to the activity of identifying and ranking risks at some particular stage in the software development lifecycle.

d.

Risk management refers to the activity of identifying and ranking risks at some particular stage in the software development lifecycle.

Explanation / Answer

Q1. Answer Isb and c

He uses term risk analysis what is in the given option c

Q2 true

Q3 all are correct

Option c explanation

If vulnerabilities of a system is viewed only at a certain point then it is equivalent to risk.

Q4. Option a

Threat is the actor or agent...

Q5. Option a ,b and c

Q6all

Q7 a, b and c

Q8 true

Q9 secureuml- a methodology..

Umlsec- an extension...

Since and opdahi-model abuse

Q10 avoidance of liability- legal and/or regulatory

preservation of brand and reputation- contractual

Federal or state laws-- financial or commercial

Q11. False

Risk management is one of the most important aspect of security requirement domain.

Q12.all

Q13 all

Q14 Answer is

Attack resistance analysis- capture the checklist...

Ambiguity analysis - it takes advantage of the multiple...

Weakness analysis - understand s the impact of external...

Related Questions

QUESTION 1 A medical researcher wants to prove that a treatment of poison ivy is
Question #3183495
QUESTION 1 A message from one party to another that some action carries risk is
Question #3707523
QUESTION 1 A minimum wage law: Pits worker against employer. Pits the more produ
Question #3416987
QUESTION 1 A negative charge (charge A) is placed to the left of another negativ
Question #1879448
QUESTION 1 A non-profit organization decides to use an accounting software solut
Question #3740619
QUESTION 1 A non-profit organization decides to use an accounting software solut
Question #3740620
QUESTION 1 A nursing researcher wants to determine if a 1 hour education session
Question #3218876
QUESTION 1 A particle of light is called a neutron. a proton. an electron a phot
Question #1496498
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
QUESTION 1 According to M&M;, if the tax rate=0% then OA. O B. The optimal capit
Next
QUESTION 1 According to Mill\'s account, pleasure and pain are our prime motivat

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.