- Valuable resources that need protection
- i.e. data, systems, people, buildings, property, etc.
Assets
- Potentially harmful occurrence
- i.e. hacker, earthquake, power outage, etc.
Threat
A weakness that can allow a threat to cause harm
Vulnerability
Formula to calculate risk:
Risk = Threat * Vulnerability
Variables that represent the severity of damage, sometimes expressed in dollars.
Impact
What other variable is sometimes added to the risk equation?
Risk = Threat * Vulnerability * Impact
Uses a quadrant to map the likelihood of a risk occurring against the consequences (or impact) that risk would have.
Risk Analysis Matrix
Calculation that allows you to determine the annual cost of a loss due to a risk.
Annualized loss expectancy (ALE)
The value of the assets you are trying to protect
Asset Value (AV)
Percentage (%) of value an asset loses due to an incident
Exposure Factor (EF)
- Calculated by AV * EF
- The cost of a single loss
Single-Loss Expectancy (SLE)
The number of losses suffered per year
Annual Rate of Occurrence (ARO)
- Calculated by SLE * ARO
- Yearly cost due to a risk
Annualized Loss Expectancy (ALE)
The overall cost associated with mitigation using a safeguard.
Total Cost of Ownership (TCO)
The amount of money saved by implementing a safeguard
Return on Investment (ROI)
If the annual Total Cost of Ownership (TCO) is less than your ALE
Your have a positive ROI and have made a good choice with your safeguard implementation
If the annual Total Cost of Ownership (TCO) is higher than your ALE
You’ve made a poor choice as it relates to safeguard implementation
What three factors play a big part in determining the cybersecurity budget?
- Risk analysis
- Total Cost of Ownership (TCO)
- ROI
- Risk choice
- Sometimes it is cheaper to leave an asset unprotected, rather than make the effort and spend the money to protect it.
- Risks assessed as low likelihood are candidates for this risk
Accept the Risk
- Risk choice
- Lowering a risk to an acceptable level
Mitigating Risk
- Risk choice
- Risk is moved to another entity allowing them to handle the liability
- i.e. Insurance companies they are experts in handling risks
Transferring Risk
- Risk choice
- The process of choosing an alternate option that has less risk associated with it,
- i.e. Choosing to locate a business in Arizona instead of Florida to avoid hurricanes
Risk Avoidance
- Risk choice
- Denying that a risk exists (not acceptable)
Risk Rejection
The lowering of risk
Risk Reduction
-
Domain 1: Legal and Regulatory Issues58
-
Domain 1: Risk Analysis34
-
Domain 1: Everything Else45
-
Domain 1: Threat Modeling29
-
Domain 2: Classifying Data39
-
Domain 2: Memory and Remanence27
-
Domain 2: Determining Data Security Controls30
-
Domain 3: Security Models31
-
Domain 3: System Design48
-
Domain 3: System Vulnerabilities40
-
Domain 3: Cryptography31
-
Domain 3: Types of Cryptography38
-
Domain 3: Cryptography Attacks and Implementing34
-
Domain 3: Environmental Controls41
-
Domain 4: Communication and Network Security37
-
Domain 5: Authentication Methods47
-
Domain 5: Access Control Technologies49
-
Domain 6: Security Assessment and Testing26
-
Domain 7: Forensics and Incident Response30
-
Domain 7: Assessment Management31
-
Domain 7: BCP/DRP29
-
Domain 7: BCP/DRP pt 230
-
Domain 7 : Backups20
-
Domain 8: Programming Concepts37
-
Domain 8: Databases25
-
Domain 8: Software Security32
-
Domain 4: Communication and Network Security Pt 230
-
Domain 4: Communication and Network Security Pt 339
-
Domain 8: Database pt 223
-
Domain 6: Security Assessment and Testing pt 226
