What is risk in information security?
The potential for loss or damage when a threat exploits a vulnerability, affecting the confidentiality, integrity, or availability of assets.
Formula: Risk = Likelihood × Impact
What does likelihood represent in risk analysis?
The probability or frequency that a threat will successfully exploit a vulnerability — how probable an incident is.
What does impact mean in information security?
The magnitude of adverse consequences when a threat materializes — how severe the effect is on confidentiality, integrity, or availability.
Define vulnerability in cybersecurity.
A weakness or flaw in systems, processes, or controls that could be exploited by a threat.
Examples: unpatched software, misconfigured systems, weak authentication.
What is a threat?
A potential cause of an unwanted incident that may exploit a vulnerability — e.g., hackers, malware, insider misuse, or natural disasters.
What does the CIA triad represent?
The three pillars of information security:
Confidentiality — only authorized access
Integrity — accuracy and completeness
Availability — timely and reliable access
How is confidentiality ensured?
By protecting data from unauthorized access or disclosure through controls such as encryption, access management, and non-disclosure policies.
What is integrity in information security?
Assurance that data is accurate, consistent, and unaltered except by authorized processes.
Controls: checksums, version control, digital signatures.
What does availability protect against?
Disruptions that prevent authorized users from timely access — e.g., downtime, denial-of-service attacks, or hardware failures.
Controls: redundancy, backups, failover systems.
What does systematization of security mean?
The structured, repeatable, organization-wide management of security using formal processes, policies, risk assessments, and continuous improvement.
→ Usually implemented through an ISMS (ISO 27001).
What happens during context establishment?
Define internal/external context, business objectives, stakeholders, and regulatory environment to align risk management with organizational goals.
What’s the goal of risk identification?
Determine what could go wrong — list threats, vulnerabilities, and affected assets to create a comprehensive risk inventory.
What does risk analysis involve?
Assessing likelihood and impact for each identified risk using qualitative or quantitative methods to estimate overall risk levels.
What is the purpose of risk evaluation?
Compare analyzed risks against risk criteria or tolerance levels to determine acceptability and prioritize treatment efforts.
What are the four main risk treatment strategies?
Avoid — eliminate activity/source of risk.
Reduce — implement controls to lower risk.
Transfer — outsource or insure risk.
Accept — tolerate risk within set thresholds.
What is the full sequence of the risk life cycle?
Context → Identification → Analysis → Evaluation → Treatment → Monitoring & Review (continuous loop).
What does the Capability Maturity Model measure?
The maturity and optimization of an organization’s processes — including how consistent, measurable, and continuously improved they are.
What characterizes CMM Level 1 (Initial)?
Processes are ad hoc and unpredictable; outcomes depend on individual effort rather than structure.
What happens at CMM Level 2 (Repeatable)?
Basic processes exist and can be repeated, but lack full documentation or standardization across teams.
What defines CMM Level 3 (Defined)?
Processes are documented, standardized, and integrated across the organization — clear policies and procedures are in place.
What is key about CMM Level 4 (Managed)?
Processes are measured and controlled quantitatively, enabling data-driven performance management.
What distinguishes CMM Level 5 (Optimizing)?
Focus on continuous improvement — feedback, innovation, and proactive refinement of security processes.
How does CMM maturity relate to ISMS effectiveness?
As maturity increases, security becomes proactive and predictive, not reactive — ensuring alignment with ISO 27001’s continual improvement philosophy.
How are risk management and CMM maturity connected?
Mature organizations systematically assess, treat, and monitor risk, embedding feedback loops for learning and process optimization.
