StudyXY
RegisterLog in
Information Technology /CompTIA Security+ (SY0-601): Risk Assessments

CompTIA Security+ (SY0-601): Risk Assessments

Information Technology17 CardsCreated about 2 months ago

This section highlights key strategies in managing risk, such as transferring, accepting, and assessing residual risk. It also explains the difference between qualitative (experience-based) and quantitative (number-driven) risk analysis approaches used to evaluate and address potential threats.

PrintEmbedImportReport

Risk Transfer

A strategy that passes the risk to a third party

Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/17

Key Terms

Term
Definition

Risk Transfer

A strategy that passes the risk to a third party

Risk Acceptance

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Residual Risk

The risk remaining after trying to avoid, transfer, or mitigate the risk

Qualitative Risk

Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk

Experience is ...

Quantitative Risk

Quantitative analysis uses numerical and monetary values to calculate risk

Quantitative analysis can calculate a dir...

SLE

Single Loss Expectancy:

Cost associated with the realization of each individualized threat ...

Log in to view all terms

Related Flashcard Decks

Information Technology

Security+ (SY0-701): Additional Knowledge

This flashcard set explores various cybersecurity topics including credential-stuffing attacks, data classification (e.g., private data), and key disaster recovery metrics like RTO. It also highlights protective measures such as hashing for data integrity, automation support challenges, and the use of URL scanning in web filtering to prevent malware infections.

10 cards
View Deck
Information Technology

Security+ (SY0-701): Cert Master Practice: 5.0 Security Program Management and Oversight

This flashcard set covers key concepts in cybersecurity governance frameworks, including centralized governance, data stewardship roles, and compliance laws like SOX. It also addresses environments supporting development and change management, as well as recovery strategies like Recovery Point Objective (RPO) to minimize data loss during system failures.

8 cards
View Deck
Information Technology

Security+ (SY0-701): Cert Master Practice: 4.0 Security Operations

This flashcard set explores advanced cybersecurity practices including refining SIEM alert handling, email security protocols (DKIM, DMARC), secure authentication methods, and strategic threat-hunting. It emphasizes how to enhance incident response efficiency and leverage proactive defense techniques like maneuvering to counteract potential threats.

11 cards
View Deck
Information Technology

Security+ (SY0-701): Cert Master Practice; 2.0 Threats, Vulnerabilities, and Mitigations

This deck covers key concepts related to threats, vulnerabilities, and mitigations in cybersecurity, focusing on virtual machine security.

1 cards
View Deck
Information Technology

Security+ (SY0-701): Cert Master Practice; 1.0 General Security Concepts

This flashcard deck covers key concepts from the Security+ (SY0-701) exam, focusing on general security concepts such as technical and operational controls, policy enforcement, and tokenization.

6 cards
View Deck
Information Technology

Security+ (SY0-701): Lesson 16: Summarize Data Protection Part 2

This flashcard deck covers key concepts from the Security+ (SY0-701) Lesson 16, focusing on data protection methods, DLP components, and security awareness training.

25 cards
View Deck

Study Tips

  • Press F to enter focus mode for distraction-free studying
  • Review cards regularly to improve retention
  • Try to recall the answer before flipping the card
  • Share this deck with friends to study together
CompTIA Security+ (SY0-601): Risk Assessments
TermDefinition

Risk Transfer

A strategy that passes the risk to a third party

Risk Acceptance

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Residual Risk

The risk remaining after trying to avoid, transfer, or mitigate the risk

Qualitative Risk

Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk

Experience is critical in qualitative analysis

Quantitative Risk

Quantitative analysis uses numerical and monetary values to calculate risk

Quantitative analysis can calculate a direct cost for each risk

SLE

Single Loss Expectancy:

Cost associated with the realization of each individualized threat that occurs

ARO & ALE

Annualized Rate of Occurrence:
Number of times per year that a threat is realized

Annualized Loss Expectancy:
Expected cost of a realized threat over a given year

Security Assessments: Active Assessments

Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities

Security Assessments: Passive Assessments

Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems

Passive techniques are limited in the amount of detail they find

Security Controls

Physical Controls
Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it

Technical Controls
Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information

Administrative Controls
Focused on changing the behavior of people instead of removing the actual risk involved

Security Controls: NIST Categories

Management, Operational, & Technical Controls

Management Controls
Security controls that are focused on decision-making and the management of risk

Operational Controls
Focused on the things done by people

Technical Controls
Logical controls that are put into a system to help secure it

Preventative, Detective, & Corrective Controls

Preventative Controls
Security controls that are installed before an event happens and are designed to prevent something from occurring

Detective Controls
Used during the event to find out whether something bad might be happening

Corrective Controls
Used after an event occurs

Compensating Control

Used whenever you can’t meet the requirement for a normal control
Residual risk not covered by a compensating control is an accepted risk

Types of Risks

External Risk
Risks that are produced by a non-human source and are beyond human control

Internal Risk
Risks that are formed within the organization, arise during normal operations, and are often forecastable

Legacy Systems
An old method, technology, computer system, or application program which includes an outdated computer system still in use

Multiparty
A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks

IP Theft
Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs

Software Compliance/Licensing
Risk associated with a company not being aware of what software or components are installed within its network

Risk Register

Every project has a plan, but also has risk
Identify/document risk associated with each step of project
Apply possible solutions & monitor results

Risk Matrix/Heat Map

View results of risk assessment
Visually identify risk based on color
Combines likelihood of event with potential impact

Risk Appetite

Amount of risk an organization is willing to take