You are implementing security controls to mitigate threats. Which of the following best describes the target you are treating? (Wentz QOTD)
A. Uncertainty, likelihood, or possibility
B. Effect, consequence, or impact
C. Residual risk
D. Risk exposure
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Risk exposure.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
ISO 31000 is a generic risk management framework applicable to various contexts. It defines risk as “the effect of uncertainty on objectives.” ISO 27005 is based on ISO 31000 and applied in managing information security risk. The NIST Generic Risk Model (NIST SP 800-30 R1) aligns with the concept and elaborates risk using threat source, threat event, vulnerability, and adverse impact; those factors elaborate the uncertainty and effect of risk.
Risk Assessment vs Risk Analysis
In ISO 31000, risk assessment comprises three tasks: risk identification, risk analysis, and risk evaluation, while some risk management frameworks may treat “risk assessment” and “risk analysis” as synonyms. This question follows ISO 31000.
Risk Identification
Identified risks shall be associated with goals or objectives in question and often written in the risk registry.
Risk Analysis in ISO 31000
Risk analysis means breaking down risk and getting insight into its uncertainty and effect. The analysis can be qualitative or quantitative. The term likelihood implies that risk analysis employs a qualitative approach, while possibility is used in quantitative analysis. The effect of risk can be positive (opportunity) or negative (threat), which can be expressed in a qualitative or quantitative approach as well.
Risk Evaluation
Risk Treatment and Risk Response
Risk treatment options mentioned in ISO 31000 are commonly known as risk response strategies. Security controls mitigate risk or threats in the context of information security; they handle the uncertainty, the effect, or both. For example, an IPS may lower the likelihood of an attack and its adverse impact.
Residual Risk
Residual risk is the risk after treatment. Risk treatment is an iterative process. After treatment, the inherent risk results in the residual risk, which needs to be treated after another round of risk assessment if it is not acceptable.
Reference
您正在實施安全控制以減輕威脅。 以下哪項最能描述您正在處置的標的?(Wentz QOTD)
A. 不確定性、可能性或機率 (Uncertainty, likelihood, or possibility)
B. 影響、後果或衝擊 ( Effect, consequence, or impact)
C. 剩餘風險 (Residual risk)
D. 風險敞口 (Risk exposure)