Chapter 17: Risk Management and Privacy
Authored by Fhaa Lossx
Computers
University
Used 1+ times
AI Actions
Add similar questions
Adjust reading levels
Convert to real-world scenario
Translate activity
More...
Content View
Student View
20 questions
Show all answers
1.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
Jen identified a missing patch on a Windows server that might allow an attacker to gain remote control of the system. After consulting with her manager, she applied the patch. From a risk management perspective, what has she done?
Removed the threat
Reduced the threat
Removed the vulnerability
Reduced the vulnerability
Answer explanation
Key Phrase: "missing patch"
Explanation:
Correct Answer (C): By applying the patch, Jen has removed the vulnerability that could have been exploited by an attacker, thus reducing the risk.
Why others are wrong:
A: The threat (attacker) still exists, and Jen cannot directly remove the threat.
B: She hasn’t reduced the threat, she’s removed the vulnerability that made the threat possible.
D: While the vulnerability is reduced, the proper term is "removed" rather than just reduced.
2.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
You notice a high number of SQL injection attacks against a web application run by your organization, so you install a web application firewall to block many of these attacks before they reach the server. How have you altered the severity of this risk?
Reduced the magnitude
Eliminated the vulnerability
Reduced the probability
Eliminated the threat
Answer explanation
Key Phrase: "install web application firewall"
Explanation:
Correct Answer (C): Installing a web application firewall reduces the probability of a successful SQL injection attack, though it does not eliminate the vulnerability or threat.
Why others are wrong:
A: The magnitude is not necessarily reduced; the firewall only blocks attacks.
B: The vulnerability still exists; only the likelihood is reduced.
D: The threat (attackers) still exists; it has not been eliminated.
3.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
Aziz is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm’s customers. He expects that a compromise of that database would result in $500,000 of fines against his firm. Aziz is assessing the risk of a SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. What is the asset value (AV)?
$5,000
$100,000
$500,000
$600,000
Answer explanation
Key Phrase: "compromise of database"
Explanation:
Correct Answer (C): The asset value (AV) is the cost that would result from the compromise of the customer database, which includes the potential fines of $500,000.
Why others are wrong:
A: $5,000 is not the value at risk.
B: $100,000 is the daily revenue, not the value of the asset at risk.
D: $600,000 includes revenue, but it’s the fines from the database breach that matter here.
4.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
What is the exposure factor (EF)?
5%
20%
50%
100%
Answer explanation
Key Phrase: "exposure factor of the database"
Explanation:
Correct Answer (D): The exposure factor (EF) is 100% because the entire asset (the customer database) would be lost in the event of a breach.
Why others are wrong:
A: 5% would indicate minimal loss, which isn’t the case here.
B: 20% is too low; it’s not a partial loss.
C: 50% would imply only partial loss, but a breach of the database results in full exposure.
5.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
What is the single loss expectancy (SLE)?
$5,000
$100,000
$500,000
$600,000
Answer explanation
Key Phrase: "single loss expectancy"
Explanation:
Correct Answer (C): The single loss expectancy (SLE) is calculated as the asset value (AV) multiplied by the exposure factor (EF). Here, AV = $500,000 and EF = 100%, so SLE = $500,000.
Why others are wrong:
A: $5,000 is too low for the potential loss.
B: $100,000 is the daily revenue, not the value of the asset at risk.
D: $600,000 isn’t the correct calculation for SLE.
6.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
What is the annualized rate of occurrence (ARO)?
0.05
0.20
2.00
5.00
Answer explanation
Key Phrase: "5 percent chance of attack per year"
Explanation:
Correct Answer (A): The annualized rate of occurrence (ARO) is the likelihood of an event happening per year. A 5% chance per year is expressed as 0.05.
Why others are wrong:
B: 0.20 represents a 20% chance, which is not the case here.
C: 2.00 would indicate a very high probability.
D: 5.00 would imply a 500% chance, which is not correct.
7.
MULTIPLE CHOICE QUESTION
15 mins • 1 pt
What is the annualized loss expectancy (ALE)?
$5,000
$25,000
$100,000
$500,000
Answer explanation
Key Phrase: "annualized loss expectancy"
Explanation:
Correct Answer (B): ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). In this case, SLE = $500,000 and ARO = 0.05, so ALE = $500,000 * 0.05 = $25,000.
Why others are wrong:
A: $5,000 is too low for the ALE.
C: $100,000 is not the correct calculation for ALE.
D: $500,000 is the SLE, not the ALE.
Access all questions and much more by creating a free account
Create resources
Host any resource
Get auto-graded reports
Continue with Google
Continue with Email
Continue with Classlink
Continue with Clever
or continue with
Microsoft
%20(1).png)
Apple
Others
Already have an account?
