As a security professional, you are concerned with acquired products or services going end-of-life or end-of-service. Which of the following is the most crucial reason? (Wentz QOTD)
A. Risk exposure increases.
B. Maintenance costs get higher.
C. System availability can be impacted.
D. Vulnerabilities remain open and unpatched.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Risk exposure increases.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
ISO/IEC/IEEE 24765:2017 Systems and software engineering — Vocabulary 1. potential loss presented to an individual, project, or organization by a risk [ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management, 3.10] 2. function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence [ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management, 3.10] 3. product of probability times potential loss for a risk factor Note 1 to entry: Risk exposure is commonly defined as the product of a probability and the magnitude of a consequence, that is, an expected value or expected exposure.
Risk exposure is a measure of risk. It considers the uncertainty and effect parts of risk. Risk refers to the effect of uncertainty on objectives. Uncertainty and effect can be measured quantitatively and qualitatively. So does the risk exposure. Risk analysis is the process that determines risk exposure to prioritize risks and informs risk evaluation decisions and risk treatment.
Risk assessment and risk analysis are often treated as synonyms in NIST guidelines, the CISSP exam outline, and CISSP study guides. However, it’s not the case in ISO standards such as ISO 31000 and ISO 27005; risk analysis is part of risk assessment.
Risk such as maintenance costs get higher, system availability can be impacted, and vulnerabilities remain open and unpatched may happen. However, we need to further analyze them in terms of their likelihood or possibility and impacts to determine the risk exposure. So, risk exposure is a more general and comprehensive concept that reminds us of considering both the uncertainty and effect parts of risk from a higher level of perspective.
Exposure: The combination of likelihood and impact levels for a risk.
Inherent Risk: The risk to an entity in the absence of any direct or focused actions by management to alter its severity.
Residual Risk: Portion of risk remaining after security measures have been applied.
作為一名安全專家，您關心購買的產品或服務將要終止(end-of-life)或停止服務(end-of-service)。 以下哪個是最關鍵的原因？ (Wentz QOTD)