1. Key Terms & Concepts
   1. Risk:
      1. the possibility of a malicious attack or other threat causing damage or downtime to a computer system.
      2. Risk Management:
         1. The identification, assessment, and prioritization of risks, and the mitigating and monitoring of those risks.
         2. Information Assurance (IA):
            1. A term used to refer to risk management, when referring to risk that specifically concerns computer hardware and software.
   2. Organizations usually employ one (or more) of four general strategies when managing a known risk:
      1. Risk Transference (Risk Sharing)
         1. The transfer or outsourcing of risk to a third party.
      2. Risk Avoidance
         1. When an organization avoids risk because the risk factor is too great.
      3. Risk Reduction
         1. When an organization mitigates risk to an acceptable level.
      4. Risk Acceptance
         1. The amount of risk an organization is willing to accept. Also known as risk retention.
   3. Residual Risk:
      1. The risk that is left over after a security plan and a disaster recovery plan have been implemented.
   4. Generally, risk assessment follows this four-step order:
      1. Identify the organization's assets.
      2. Identify vulnerabilities to those assets.
      3. Identify threats to assets, and the likelihood of those threats.
      4. Qualitatively and/or quantitatively assess the impact of the identified threats and vulnerabilities on your organization, and develop a security policy that best spends your limited resources to secure your most important assets.
         1. Qualitative Risk Assessment:
            1. An assessment that assigns numeric values to the probability of a risk and the impact it can have on the system or network.
         2. Quantitative Risk Assessment:
            1. An assessment that measures risk by using exact monetary values.
   5. Risk Register:
      1. Also known as a risk log.
      2. Helps to track issues and address problems as they occur.
   6. Risk Mitigation:
      1. When a risk is reduced or eliminated altogether.
2. Qualitative Risk Assessment
3. Quantitative Risk Assessment
   1. List the three values used when calculating the quantitative risk to an asset:
      1. Single Loss Expectancy (SLE):
         1. The dollar loss of value caused by a single incident to an asset.
      2. Annualized Rate of Occurrence (ARO):
         1. The number of times per year that the specific incident might occur.
         2. Mean Time Between Failures (MTBF):
            1. Defines the average number of failures per million hours for a product in question.
            2. Explain the terms Failure in Time (FIT), Mean Time to Repair (MTTR), and Mean Time to Failure (MTTF):
            3. Failure in Time (FIT):
            4. Similar to MTBF, another term used to define the average number of failures for a specific product or asset, but instead using a scale in billions (not millions).
            5. Mean Time to Repair (MTTR):
            6. The average time needed to repair a failed device
            7. Mean Time to Failure (MTTF):
            8. A basic measure of reliability for devices that cannot be repaired once they break
            9. All three of these values should be considered when creating a Disaster Recovery (DR) plan.
      3. Annualized Loss Expectancy (ALE):
         1. The total annual dollar loss to an asset because of a specific type of incident.
         2. Calculated as:
            1. ALE = SLE × ARO