7.5: Assessment
True/False
Indicate whether the statement is true or false.
____ 1. A risk assessment that uses descriptive terminology, such as “high,” “medium,” and “low,” is called a quantitative risk assessment.
Multiple Choice
Identify the choice that best completes the statement or answers the question.
____ 2. In which phase of the Critical Infrastructure Risk Management Framework is the goal to identify, detect, disrupt, and prepare for hazards and threats; reduce vulnerabilities; and mitigate consequences.
| a. Assess and analyze risk | c. Implement risk management activities |
| b. Establish program goals | d. Identify assets |
____ 3. _________________ is a computerized, open-source risk assessment tool that consists of UML-based packages.
| a. OCTAVE | c. CSET |
| b. CORAS | d. SNORT |
____ 4. _________________ was developed by Carnegie Mellon as a suite of tools, techniques, and methods for risk-based information security assessment and planning; it utilizes event/fault trees.
| a. OCTAVE | c. CSET |
| b. CORAS | d. SNORT |
Completion
Complete the sentence.
5. ___________________________________________________________ refers to the logistics associated with obtaining needed components.
Short Answer
6. Discuss the impact that an industry’s regulatory environment might have on risk assessment. Provide an example of a regulation in a sector that would have to be security tested.
For the answers to these questions, email your name, the name of your college or other institution, and your position there to info@cyberwatchwest.org . CyberWatch West will email you a copy of the answer key.