WEEK 1 ESSAY QUESTIONS Instructions: Answer all questions in a single document.

Question

WEEK 1 ESSAY QUESTIONS Instructions: Answer all questions in a single document. Then submit to the appropriate assignment folder. Each response to a single essay question should be about a half-page in length (about 150 words). 1. In this week's readings, you learned about two methods of risk analysis: quantitative assessment and qualitative assessment. Explain the steps taken to assess a risk from a quantitative perspective where monetary and numeric values are assigned and discuss the formulas used to quantify risk. Then, explain the methods used to assess risk from a qualitative perspective where intangible values are evaluated such as the seriousness of the risk or ramifications to the reputation of the company. 2. Domain 1 introduced numerous security terms that are used in assessing risk. Please define the terms vulnerability, threat, threat agent, risk, exposure and control. Then, describe the three different control types and give examples for each. 3. After you've conducted your risk assessment and determined the amount of total and residual risk, you must decide how to handle it. Describe the four basic ways of handling risk. Please provide citations in APA format (they will check for plagiarism)

Explanation / Answer

A situation involving exposure to danger, harm or loss is considered as Risk. The process of defining and analyzing the dangers, harms or losses to individuals, businesses and or government is Risk Analysis. Risk Analysis often conducted in two different ways such as Qualitative Assessment and Quantitative Assessment.

Qualitative Risk Assessment:

This kind of risk analysis most often used for decision making by capitalists on their judgment, experience and intuition for decision making. These methods can be used whenever the level of risk low and does not warrant the time and resources necessary for making full analysis, and also used when the numerical data available not adequate for more quantitative analysis that would serve as the basis for subsequent and more detailed analysis of the capitalists global risk. The qualitative methods include Brainstorming, Questionnaire and Structured Interviews, Evaluation for Multidisciplinary Groups and Judgment of Specialists and Experts (Delphi Technique).

After conducting Qualitative Risk Analysis, we have a list of risks with priority and urgency assigned. By using Expected Monetary Value, we can quantify each risk to determine whether qualitative analysis backed by numbers.

To calculate the Expected Monetary Value we need to assign a probability of occurrence for the risk. Assign monetary value of the impact of the risk when it occurs. The value you get after performing is the Expected Monetary Value. This value is positive for opportunities (positive risks) and negative for threats (negative risks).

Expected Monetary Value (EMV) = Assign probability of occurrence for the risk * Assign monetary value of the impact of the risk when it occurs.

Quantitative Risk Assessment:

This kind of risk analysis considered to be used whenever enable to assign values of occurrence, to the various risks identified to calculate the level of risk. These methods include Analysis of Likelihood, Analysis of Consequences and Computer Simulation.

Past reviews of quantitative approaches for benefit and harm assessment have not organized the approaches according to important characteristics of the approaches. Quantitative approaches based on primary datasets, where investigators had control over study design, outcome selection, and individual patient data.

Benefit Less Risk Analysis combines benefit and harm into a single metric, and designed primarily for clinical trials. This type of analysis presents the relationship between benefit and risk as risk subtracted from benefit. Benefits Less Risk Analysis thus allows for statistical testing of comparisons between treatment groups and can consider preferences, expressing the relative importance of benefit and harm outcomes.

Describe and document the information handled by the system, and identify the overall system security level. The classification levels and the categories assigned to different types of information should correspond to the information classification designations and information security levels and designations should be part of the information security policy.

Identify threats that could exploit system vulnerabilities. Refer to the threat identification resource for possible environmental, physical, human, natural, and technical threats. Using the output, consider the connections, dependencies, inherited risks and controls.

Consider the potential vulnerabilities associated with each threat, to produce a pair. Vulnerability can be associated with one or more threats. Collect input from previous risk assessments, audits, system deficiency reports, security advisories, scanning tools, security test results, system development testing, industry and government listings etc.

Identify existing controls that reduce the likelihood or probability of a threat exploiting system vulnerability, and or reduce the magnitude of impact of the exploited vulnerability on the system. Existing controls may be management, operational or technical controls depending on the threat / vulnerability and the risk to the system. These three system controls are System Administrator, Technical Reviewer and System Technical Owner.

There are four ways we can handle the identified risk as below, these decisions have a number of impacts on time, money and resources.

Accept:

Accept the risk is business decision that reflective on the level of acceptable risk level, or the willingness for organization to assume the risk. In many instances the risks identified insignificant to the organizational risk portfolio, and thus can truly be accepted, assuming the organization has an Enterprise Risk Management (ERM) structure.

Avoid:

Avoiding risk means we are going to do nothing with the identified risks. How does this differ from Accepting risk? When accept the risk, actually doing something; chosen to accept the risk and the impacts to that decision, right or wrong. Avoid Organizations and industry segments decide to avoid risks, usually introduce government oversight to reduce the risk.

Mitigate:

It may cost restrictive to reduce all risks, certainly based on the level of acceptable risk, the remaining should be mitigated. Mitigating risk means that reducing risks by implementing controls, fixes or other countermeasures that have a direct effect on the risks identified.

Residual risk is the risk after mitigated portion of the identified risks. By focusing on residual risk, make more informed business decisions, specifically the cost of mitigating and the benefits gained from these controls.

Residual Risk = Identified Risk – Mitigated Risk Controls

Transfer:

Many organizations turning towards transferring risk as an alternative to the options above. Transferring risk can take various forms, including cyber liability insurance and outsourced services. However, in many instances, some residual risk remains.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.