Chapter 9 - Risk Management: Controlling Risk

Chapter 9
When an organization's general management team determines that risks from information security threats are creating a competitive ___________, it empowers the information technology and information security communities of interest to control those risks.
The risk control strategy that seeks to reduce the impact of a successful attack through the use of IR, DR and BC plans is
is the risk control strategy that seeks to prevent exploitation of a perceived vulnerability through the application of effective safeguards.
is the risk control strategy that seeks to prevent exploitation of a perceived vulnerability through the application of effective safeguards is a control approach that attempts to shift the risk to other agencies who will manage or insure the assets.
The threat level and an asset's _______ should be a major factor in the risk control strategy selection.
Residual Risk
is a is a combined function of (1) a threat less the effect of threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.
The effectiveness of controls should be ______ and measured regularly once a control strategy has been selected.
Risk appetite is also known as risk
In an economic feasibility study, the _________ is the value to the organization of using controls that prevent losses related to a particular vulnerability.
valuation is the process of assigning financial value to an information asset
The Single Loss Expectancy (SLE) is the result of the asset's value (AV) multiplied by the _______ factor.
Post Control
A cost benefit analysis (CBA) result is obtained from the difference between the pre-control and the __________ annualized loss expectancy (ALE).
Appetite tolerance
Risk __________ defines the quantity and nature of risk that an organization is willing to accept.
The element of remaining risk after vulnerabilities have been controlled is referred to as ___________ risk.
The ______ technique is process in which a group ranks a set of information.
The _______ Method is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
is a risk management framework developed to help organizations to understand, analyze, and measure information risk.The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
The _______ assessment, tries to improve upon the ambiguity of qualitative measures without resorting to the unsubstantiated estimation used for quantitative measures.
Due care and due diligence occur when an organization adopts a certain minimum level of security as what any __________ organization would do in similar circumstances.
One of the most common methods of obtaining user acceptance and support is via user