You are conducting the risk assessment and have identified several risks. Which of the following best describes the risk in your risk register?
A. Natural hazards like earthquakes, floods, etc.
B. Script kiddies using open source tools to play SQL injections against web sites
C. Employees carelessly attending training may result in frequent violations of security policy
D. Human life losses
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Employees carelessly attending training may result in frequent violations of security policy.
According to ISO 31000, the risk is the “effect of uncertainty on objectives.” This is a generic risk definition that applies to all contexts, such as financial risk, personnel risk, supply chain risk, information security risk, etc.
The following is a complete risk description that comprises both uncertainty and effect:
Employees carelessly attending training may result in frequent violations of security policy.
The following risk descriptions are incomplete:
- Natural hazards like earthquakes, floods, etc., are threat sources, part of the uncertainty.
- “Script kiddies using open source tools to play SQL injections against web sites” is an uncertain threat scenario without describing effects.
- Human life losses are an effect.
The are various structural approaches to describe risk. The risk metalanguage created by Dr. David Hillson is one of the most well-known. The following sample risk is described using the risk metalanguage as the sentence structure, and the NIST Generic Risk Model is specifically applied in the context of information security.
Because a hacker (threat source) may deface an unpatched web site (vulnerability) through SQL injection (threat event), that would jeopardize the organization’s reputation (adverse impact). (Wentz Wu)
NIST Generic Risk Model
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
您正在進行風險評鑑，並識別出了一些風險。 以下哪項最能描述您的風險登錄表(risk register)中的風險？