After risk assessment, your company plans to equip laptops used by sales representatives with FIPS 140-2 Level 3 compliant self-encrypting drives as a countermeasure to protect around 10% of confidential data stored on hard drives. You are analyzing the residual risk using a quantitative approach in another iteration of risk assessment after the risk treatment. Which of the following is the primary and direct factor subject to change due to the risk treatment? (Wentz QOTD)
A. Asset value
B. Exposure factor
C. Annual loss expectancy
D. Annualized rate of occurrence
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Exposure factor.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Exposure factor (EF)
Exposure factor (EF) is the subjective, potential percentage of loss to a specific asset if a specific threat is realized. The exposure factor is a subjective value that the person assessing risk must define. (Wikipedia)
Exposure factor “is the proportion of the value of an asset that is likely to be lost due to a particular risk. It’s expressed as a percentage of the original value.” (capital.com)
This question is designed to emphasize that risk mitigation can not only reduce the likelihood. Risk mitigation may reduce likelihood, consequences, or both. In other words, mitigating risk changes risk exposure, which takes both uncertainty (likelihood) and effect (consequences) into consideration.
A laptop that holds classified data is more valuable (the asset value is higher) than one that has none. If a FIPS 140-2 Level 4 compliant self-encrypting drive is used, the asset value may be changed after a laptop is stolen. A policy that mandates classified data shall not be provisioned on laptops can be treated as risk avoidance.
- NIST FIPS PUB 140-3
- NIST FIPS PUB 140-2
- FIPS Standards for Self-Encrypting Drive Technology
- Seagate Enterprise Self-Encrypting Drives User Guide – Part 1
- Seagate Laptop Thin HDD ST500LM024
- Kingston Releases FIPS 140-2 Level 3 Encrypted USB Flash Drive with Management Ready Option
- SecureData SecureDrive BT FIPS 140-2 Level 3 Validated 256-Bit Hardware Encrypted External Portable Hard Drive USB 3.0 – Secure Wireless Unlock via Mobile App (1 TB)
- Exposure factor
在進行風險評鑑後，貴公司計劃為銷售代表使用的筆記本電腦配備符合 FIPS 140-2 三級(level 3)標準的自加密驅動器，作為保護存儲在硬盤驅動器上的大約 10% 機密數據的對策。 您正在風險處置後的另一個風險評鑑迭代中使用定量方法分析剩餘風險。 下列哪項是風險處置導致變化的主要和直接因素？ (Wentz QOTD)
A. 資產價值 (AV)
B. 暴露因子 (EF)
C. 年度損失預期 (ALE)
D. 年度發生率 (ARO)