15 Risk Management
Mini Quiz Answers

Question 1: A financial institution estimates that a cyberattack on their online banking system has a 30% probability of occurring each year, and would cause approximately $5 million in damages including regulatory fines, customer compensation, and recovery costs. What risk assessment method are they most likely using?

Question 1 Explanation: Qualitative analysis uses opinions like "High" or "Low" instead of numbers.

Quantitative risk analysis uses numbers and financial values to calculate risk. In this example, the team uses a 30% probability and $5 million damage estimate to calculate expected loss.

Ad hoc assessment is informal and unstructured.

Risk transference is a response strategy, not an assessment method.

Question 2: A small business cannot afford sophisticated security tools but needs to prioritize which risks to address first. The owner rates risks as "High" if they could cause business closure, "Medium" if they cause operational disruption, and "Low" if they cause minor inconveniences. Which risk analysis approach is being used?

Question 2 Explanation: Quantitative analysis uses financial numbers and percentages, which are not in this question.

Risk appetite is the amount of risk a company is willing to accept, not the analysis method.

Qualitative risk analysis uses subjective (opinion-based) scales like High, Medium, and Low to rate risks. The owner uses these categories to prioritize risks based on business impact.

Residual risk is the risk that remains after security controls are applied.

Question 3: A company discovers that a legacy system has critical vulnerabilities that could expose employee data. Replacing the system would cost $500,000, but a data breach would only cost approximately $50,000 in fines. After reviewing the costs, management decides not to replace the legacy system. Which risk response strategy is being implemented?

Question 3 Explanation: Mitigation would reduce the risk through security controls.

Avoidance would eliminate the risk by stopping the activity.

Transference would shift the risk to insurance or a third party.

Risk acceptance means choosing to live with a risk because the cost to fix it is higher than the potential loss. Here, management accepts the $50,000 breach risk because a $500,000 replacement is too expensive.

Question 4: A company calculates that if their server is breached, the cost will be $2 million in fines. After implementing firewalls, encryption, and employee security training, they calculate that the potential for fines has now been reduced to $200,000. No further mitigations are possible. What is the best description of the $200,000 figure?

Question 4 Explanation: Inherent risk is the original risk before any controls are used.

Risk appetite is how much risk the company is willing to accept.

Residual risk is the risk that remains after security controls are implemented. The company reduced risk from $2 million to $200,000 using firewalls, encryption, and training. This remaining $200,000 is the residual risk. Risk cannot be reduced to zero.

Return on Security Investment measures the financial benefits gained from security spending.

Question 5: A risk manager for a company conducts a Business Impact Analysis (BIA). They identify the following metrics for a critical server:

• Mean Time Between Failures (MTBF) of 2,500 hours
• Mean Time to Repair (MTTR) of 4 hours
• Maximum Tolerable Downtime (MTD) of 24 hours
• Recovery Time Objective (RTO) of 6 hours

What should the risk manager prioritize?

Question 5 Explanation: The MTBF (Mean Time Between Failures) is how long, on average, it takes for a device to break or fail. The MTBF of 2,500 hours is around 104 days, which is already good.

The risk manager should prioritize reducing the MTTR (Mean Time to Repair). MTTR of 4 hours means the server takes 4 hours to fix when it fails. This should be improved.

Maximum Tolerable Downtime (MTD) is the maximum duration a business process or system can be inoperable before causing irreversible, unacceptable damage to the organization. It represents the absolute "hard limit" for downtime. This is rarely something you would want to increase.

Recovery Time Objective (RTO) is the maximum acceptable duration of time that a business process, system, or application can be down following a disaster or incident before causing significant disruption. It answers "how quickly must we be back online?" RTO of 6 hours is shorter than the 24-hour MTD, so it is not the priority.

Question 6: A retail company is selecting a new cloud payment processor to handle millions of customer credit card transactions. Before signing the contract, the security team reviews the cloud company's financial stability, requests their ISO 27001 audit report, and verifies their PCI DSS compliance. What is this pre-contract investigation called?

Question 6 Explanation: Right to audit is a contract clause allowing inspections of a vendor's networks and buildings.

Penetration testing is security testing, not vendor assessment.

Vendor due diligence is the pre-contract investigation of a vendor's security and financial stability. The security team reviews financial stability, ISO 27001 audit reports, and PCI DSS compliance before signing.

Conflict of interest assessment checks for biased relationships, like one executive who works for both companies.

Question 7: A technology startup is negotiating with a potential business partner to develop a new product. Before sharing their proprietary algorithms and trade secrets, they require the partner to sign a legal agreement promising not to disclose confidential information to third parties. What type of legal document should be used?

Question 7 Explanation: MOU (Memorandum of Understanding) is a non-binding note confirming that two companies plan to work together.

An NDA (Non-Disclosure Agreement) is the legal document that protects confidential information. It prevents the partner from sharing secrets with third parties.

MSA (Master Service Agreement) is a legal framework for future work, so the details do not need to be specified with every new task.

SOW (Statement of Work) describes specific project details for one project.

Question 8: A company spends $100,000 annually on a Security Operations Center (SOC) that prevents an estimated $600,000 in cyberattack damages each year. What metric should the Chief Financial Officer (CFO) use to demonstrate the value of the SOC to the company's shareholders?

Question 8 Explanation: Annualized Loss Expectancy calculates the expected financial loss from risks in one year.

Risk appetite quantification is not a standard phrase.

Return on Security Investment (ROSI) demonstrates the financial value of security spending. The CFO can show that a $100,000 SOC investment prevents $600,000 in damages, proving financial value to shareholders.

Vendor due diligence assessment evaluates risks in the supply chain.

Question 9: A large healthcare organization is considering a partnership with a medical software provider. The organization wants to ensure they document the expectations for the medical software provider, and the penalties if the medical provider does not achieve those expectations. Which document should be used?

Question 9 Explanation: SLA (Service Level Agreement) documents performance expectations and penalties. It defines targets, response times, and penalties if the medical software provider fails to meet them.

SOW (Statement of Work) describes project scope and deliverables.

MOU (Memorandum of Understanding) is a non-binding agreement stating that two companies want to work together.

BPA (Business Partnership Agreement) defines general partnership terms.

Question 10: An organization hires an external security firm to conduct penetration testing of their network. The contract includes a detailed document specifying which IP addresses can be tested, what testing methods are prohibited, and that testing must occur only during business hours to avoid disrupting operations. What is this scope-defining document called?