A software development team is conducting threat modeling. Which of the following is the best instrument used to evaluate the risk exposure of identified threats? (Wentz QOTD)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. DREAD.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Risk exposure is a measure of potential loss evaluated with monetary value, a score, or scale values in terms of the likelihood, consequences, and other risk factors. Risk exposure is commonly simplified as the product of probability and magnitude of a consequence; that is, expected value or expected exposure. For example, given a risk with a possibility of 50% that might cause a financial loss of $1,000,000, the risk exposure is $500,000.
DREAD is the acronym for damage, reproducibility, exploitability, affected users, and discoverability. Each letter of the acronym stands for either the likelihood or impact. They are taken into account together to evaluate the risk exposure.
STRIDE is a risk categorization tool with predefined categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service Elevation of privilege. It doesn’t analyze the likelihood or impact of threats.
一個軟件開發團隊正在進行威脅建模。 以下哪一項是用於評估已識別威脅的風險敞口(risk exposure)的最佳工具？ (Wentz QOTD)