Summary Questions on Risk Management

Questions are randomized per student, and you will only receive correct/incorrect feedback for them. In Problem 1, each question has exactly one correct option.

In Problem 2, each student will get at least one correct option, usually more. Problem 2 is accepted when the score is 12 or higher, and points are shown with a yellow background. Unfortunately, Plussa gives “incorrect” feedback for partially correct answers. However, Problem 2 is considered passed if the score is 12 or more. From the score alone, you cannot directly infer whether an individual choice was correct or not. Points start accumulating only after more than half of the choices in the problem are correct.

Question 1

A cyber risk management system includes risk assessment, which in turn includes mapping what is valuable. Which of the following best falls within this task in a company? Its

investments in maintaining employee work ability.

assets and liabilities.

intangible assets.

replacement value of production and office equipment.

Question 2

What kinds of security mechanisms can be left out of a risk analysis?

Mechanisms that do not mitigate threats targeting the system under review.

Handling mechanisms is not part of risk analysis.

Those that solve the same problem as mechanisms already considered in the analysis.

Mechanisms that do not yet exist in the target system.

Question 3

Which of the following does not need to be considered in a risk analysis?

how difficult or costly it would be for an attacker to realize certain threats.

how much competitor companies invest in information security.

the impact of security breaches on the company’s reputation or public image.

the company’s information assets and their value.

Question 4

Compared to a previous assessment, overall risk decreases if, for a given risk, the

value of the asset is determined to be smaller than before.

likelihood of the threat is set in the calculations to be smaller than it really is.

value of the asset is entered in the calculations as greater than it really is.

existence of a security mechanism is ignored in the calculations.

Question 5

Risk analysis is mainly done so that

the vulnerabilities lurking in the system to be protected would be known.

all factors threatening the system would be known.

everything worth protecting in the system under review would be mapped.

one would gain an understanding of which security mechanisms should be adopted.

Question 6

Residual risk is a risk management concept that…

…means an approximate estimate of what risks remain after they have been treated.

…corresponds to measurement error in exact sciences.

…defines the risks that can be safely accepted.

…sets the starting point for risk assessment.

Question 7

Why is a broad perspective on risk management needed to ensure business continuity?

It is important to consider risks broadly to ensure that all threats are detected.

Because business continuity relies mainly on incident handling and cannot be achieved by a one-off risk analysis and treatment.

Because a rapid response to cyber attacks practically requires 360-degree monitoring.

Because, for example, supply chains are often critical to business even though they are partly located ’outside’ the company.

Question 8

Which of the following combinations best covers what is meant by risk?

Threat & vulnerability

Threat & security breach

Vulnerability & attack

Vulnerability & insufficient protection

Question 9

Liisa has been tasked with implementing multiple safeguards for the company’s email system, some even overlapping. This indicates that the company’s approach to email security risks is

mitigation.

acceptance.

transfer.

avoidance.

Select the correct statements. You may select one or more options.

Question 1

Risk types (such as complex and ambiguous risks) are classified according to how well the likelihood can be determined and how much consensus there is on how to handle the risk.

Regular risks are those whose likelihood is well known and that occur at fairly regular intervals.

Concern assessment that complements risk assessment deals mostly with employee and customer satisfaction and trust in the company.

If Hipster Inc. needs to restore the data of its on‑premises network server from a backup, it should use component‑driven risk management.

If Hipster Inc. is planning, together with its ISP, to secure servers to be placed in new offices, it should apply a system‑driven risk management method.

In risk analysis, likelihood is associated more with the realization of a threat than with a vulnerability, and likelihood is not very useful without also considering possible impact.

It is possible that a risk analysis finds a vulnerability that is not a threat, or a threat that is not a vulnerability.

The goal of risk management standards is to automate the selection of the most suitable security mechanisms.

For defining the security requirements of an information system that is only being planned, neither component‑driven nor system‑driven risk management is suitable; instead, one must apply a security standard specific to that system.

Unlike risk assessment and management, ensuring business continuity is not cyclical but a linear process.

Incident handling is closely related to risk management.

Posting submission...