A global logistics company is analyzing the financial impact of a potential data breach in its primary shipping database. The asset value (AV) of the database is estimated at $5,000,000. Historical data from similar incidents suggest a 20% loss of asset value if a breach occurs (Exposure Factor). Based on threat intelligence, an attack of this nature is expected to succeed once every four years. What is the Annualized Loss Expectancy (ALE) for this scenario?
A risk analyst at a manufacturing firm is preparing a report for senior management. The analyst has identified that a critical control system for the assembly line has no failover capability, making it a single point of failure. Which of the following is the MOST appropriate way to document this in the risk register?
A financial services firm is implementing a continuous monitoring program for its IT risks. The CISO wants to create Key Risk Indicators (KRIs) to provide early warnings of increasing risk levels. Which TWO of the following would be the MOST effective KRIs for monitoring the risk of unauthorized access to sensitive client data? (Select TWO)
A non-profit organization relies on a third-party cloud provider for all its donor management and financial systems. A risk assessment identifies a significant risk of service unavailability due to a potential provider outage. The organization has a very limited budget and cannot afford to switch providers or implement a multi-cloud strategy. What is the MOST appropriate risk response strategy in this situation?
True or False: In a qualitative risk assessment, a risk with a 'High' impact and a 'Low' probability should always be prioritized for treatment over a risk with a 'Medium' impact and a 'High' probability.
An internal audit of a regional bank reveals that business unit managers are frequently accepting high-level IT risks without consulting the central risk management function or senior leadership. This has led to several operational issues. This situation indicates a primary failure in which of the following?
The 'three lines of defense' model is a fundamental concept in risk governance. Which of the following correctly maps the roles to their respective lines of defense? ```mermaid graph TD subgraph First_Line [First Line] A[Business Operations] B[Front-line Staff] end subgraph Second_Line [Second Line] C[Risk Management Function] D[Compliance Department] end subgraph Third_Line [Third Line] E[Internal Audit] end First_Line --> Second_Line Second_Line --> Third_Line ```
**Case Study** A mid-sized e-commerce company, 'Urban Threads', is planning a major migration of its customer relationship management (CRM) and inventory systems from an on-premises data center to a public cloud provider. The company's risk management team has been tasked with identifying and assessing the risks associated with this migration. The primary business objective is to enhance scalability and reduce operational overhead, but the board is highly concerned about data security and potential business disruption during the transition. The project team is composed of internal IT staff with limited cloud experience and an external consulting firm specializing in cloud migrations. The timeline for the migration is aggressive, set at three months to align with the launch of a new product line. Early analysis shows that the current on-premises systems have several undocumented dependencies and custom configurations. Which risk assessment finding should be of the HIGHEST priority to the board of directors?
A risk manager is using a 5x5 risk matrix (with axes for Likelihood and Impact) to assess risks. Risk A is rated as Likelihood=2, Impact=5. Risk B is rated as Likelihood=4, Impact=3. Assuming the risk score is calculated by multiplying the ratings (Score = Likelihood x Impact), which statement is correct?
A telecom company has decided it will no longer offer services in a high-risk geopolitical region to eliminate all associated cybersecurity and compliance risks. This is an example of which risk response strategy?