You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are concerned that the hacker can type in SQL expressions in the login form to bypass the authentication. Which of the following best describes your concern?
A. Risk exposure
B. Threat event
C. Threat scenario
D. Risk profile
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Threat scenario.
Any combination between a threat source and a threat event that exploits vulnerabilities forms a threat scenario.
A threat event can be expressed in the format of tactics, techniques, and procedures (TTP for short). It’s a good practice to describe a threat event by starting with a verb so that it can be matched with threat sources to shape threat scenarios.
The “hacker” (threat source) can “type in SQL expressions in the login form to bypass the authentication. (threat event)”
- Exposure is the state of not being protected entirely or partially from risks.
- Risk exposure is the “contact of an entity, asset, system, network, or geographic area with a potential hazard.” (DHS Risk Lexicon, 2010)
It’s common for security guys to treat “exposure” as “not protected” and “coming across dangers.” However, the following definition is generally accepted in the discipline of risk management:
Risk exposure is a measure of risk in case it materializes. It can be measured by monetary value in terms of potential financial loss or a score by scaling the likelihood and consequences.
- A description of the overall (identified) risk to which the enterprise is exposed. (ISACA, 2019)
- A risk profile is a structured and complete description of any set of risks recorded in the risk register.
- A risk profile is a summary that lists estimates for all the risks associated with a strategy, program, project or activity. Risk profiles are documented and visualized using different methods but are typically based on estimates for the probability and impact of a list of identified risks. (Spacey, 2017)