Your company is a well-known cloud services provider. You learned about from a threat intelligence report that the Meltdown and Spectre bugs are hardware-level vulnerabilities affecting almost all brands of CPUs. The Meltdown attack allows a rogue process exploiting the race condition to read all memory space and leads to unauthorized access. The Spectre attack is a timing attack employing the speculative execution so that even a scripted malware can read all the process’s memory. After iterations of risk treatments, the latest software patches still hinder the system performance significantly. Supported by considering all the risk treatment options, the senior management decides to accept the risk. Which of the following least reflects the management decision?
A. Monitor and respond to the risk until the risk materializes
B. The risk exposure of inherent risk is lower than the risk acceptance criteria
C. The risk exposure of residual risk is lower than the risk acceptance criteria
D. Leave the risk in the risk register and keep monitoring it
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. The risk exposure of inherent risk is lower than the risk acceptance criteria.
Risk management is an iterative process, not a one-time endeavor.
- “After iterations of risk treatments” implies that the risk exposure of the inherent risk (newly identified risk without any treatment) is higher than the risk acceptance criteria so that the risk has to be and has been treated (determined by risk evaluation).
- On the contrary, if the risk exposure of inherent risk is lower than the risk acceptance criteria, the risk is retained, after risk evaluation, in the risk register and monitored for further changes; there is no risk treatment applied.
Residual risk is evaluated after risk treatment. If it doesn’t meet the risk acceptance criteria, another iteration of risk assessment is conducted. Since the senior management decides to accept the risk, it implies the risk exposure of residual risk is lower than the risk acceptance criteria.
Risk acceptance doesn’t mean doing nothing or ignoring the risk but leaves the risk in the risk register, monitors, and responds to it if it materializes. So, options A and D are rephrased but the same.
- Potential loss presented to an individual, project, or organization by a risk; function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence. (ISO 16085:2006)
- Product of a probability and the magnitude of a consequence, that is, an expected value or expected exposure. (ISO 24765:2017)
- Risk exposure is a measure of potential loss that can be evaluated with monetary value, a score, or scale values (e.g., High, Moderate, or Low) in terms of the likelihood, consequences, and other risk factors. The purpose of risk exposure is to prioritize risks and inform decisions.
- The risk level or exposure without taking into account the actions that management has taken or might take. (ISACA, 2019)
- The expected exposure of the newly identified risk to which no countermeasure is applied, also known as untreated risk or raw risk.
- Risk remaining after risk treatment, also known as “retained risk.” (ISO Guide 73:2009)
- The risk that remains after risk responses have been implemented. (PMI, 2019)
If you are interested in risk management, my book is a useful reference that deserves the space of your bookshelf.
- Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?
- Meltdown and Spectre
- Meltdown, Spectre bug patch slowdown gets real – and what you can do about it
- Zombie Loading: Intel Patches Slow Down SSDs as AMD Gains Ground