Which one of the following risk analysis terms characterizes the absence or weakness of a riskreducing safegaurd?
A.
Threat
B.
Probability
C.
Vulnerability
D.
Loss expectancy
Explanation:
A weakness in system security procedures, system design, implementation, internal
controls, and so on that could be exploited to violate system security policy. -Ronald Krutz The
CISSP PREP Guide (gold edition) pg 927
check
0
0
Safeguard — This term represents a risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats. Safeguards are also often described as controls or countermeasures.
wouldn’t the answer be a. threat?
0
0
I believe the question is coming from an angle of the exposure. Once exposed, it shows weakness (vulnerability) of the safeguard.
Vulnerability – The term “vulnerability” refers to the security flaws in a system that allow an attack to be successful. Vulnerability testing should be performed on an ongoing basis by the parties responsible for resolving such vulnerabilities, and helps to provide data used to identify unexpected dangers to security that need to be addressed. Such vulnerabilities are not particular to technology — they can also apply to social factors such as individual authentication and authorization policies.
Threat – The term “threat” refers to the source and means of a particular type of attack. A threat assessment is performed to determine the best approaches to securing a system against a particular threat, or class of threat. Penetration testing exercises are substantially focused on assessing threat profiles, to help one develop effective countermeasures against the types of attacks represented by a given threat. Where risk assessments focus more on analyzing the potential and tendency of one’s resources to fall prey to various attacks, threat assessments focus more on analyzing the attacker’s resources.
0
0