RIS-650 Enterprise Risk Management Flashcards

Enterprise Risk Management is the only course I’m taking this third semester at UIS Risk Analysis (Governance track) with a written exam. The course literature consists of ERM fundamentals and information security. Below is an exam summary of the course literature in flashcards.

Flashcards

ERM Fundamentals

Chapter 2: Risk Terminology

Flashcard 1:

• Question: What is the modern definition of risk in risk science?
• Answer: Risk is the consequences of an activity and the associated uncertainties (C, U), often involving something of human value.

Flashcard 2:

• Question: What does ERM stand for, and what is its focus?
• Answer: ERM stands for Enterprise Risk Management. It focuses on managing risks related to an organization’s principal objectives and balancing risks and opportunities.

Flashcard 3:

• Question: What are the three main categories of enterprise risk?
• Answer: The three main categories are financial risk, strategic risk, and operational risk.

via GIPHY

Chapter 3: Risk Characterization and Management

Flashcard 4:

• Question: What is the Risk Characterization Framework?
• Answer: Risk is characterized by Risk Sources (RS’), Activities (A’), Consequences (C’), and Knowledge (K), with the Uncertainty (Q) measured through Probability (P), Strength of Knowledge (SoK), and supporting Knowledge (K).

Flashcard 5:

• Question: What is a Black Swan event?
• Answer: A Black Swan event is an extreme, surprising event that is not predictable based on existing knowledge. Examples include unknown unknowns, unknown knowns, and known but neglected risks.

Flashcard 6:

• Question: What is the importance of SoK (Strength of Knowledge) in risk assessment?
• Answer: SoK is crucial because it assesses the strength of the knowledge supporting risk estimations. Poor knowledge can lead to surprises, even if the probability seems low.

Chapter 4: Risk-Based Strategies

Flashcard 7:

Question: What are the three main risk-related decision-making strategies?

• Risk-Based Requirement Strategy (used when knowledge is strong),
• Risk Assessment Strategy (used with moderate knowledge), and
• Cautionary/Resilience Strategy (used when knowledge is weak).

Flashcard 8:

• Question: When is a Risk-Based Requirement Strategy most appropriate?
• Answer: It is used when there is strong general and specific knowledge, and the activity is well understood, with little uncertainty.

---

Chapter 5: Risk Management Tools

Flashcard 9:

• Question: What are the most common tools used to present risk?
• Answer: The most common tools are the Risk Matrix and Bayesian Networks, though the latter is more complex and resource-intensive.

Flashcard 10:

• Question: How is a risk matrix improved by incorporating knowledge aspects?
• Answer: By incorporating the strength of knowledge (SoK) into the matrix, using colour codes to reflect confidence in estimating probability and consequences, and categorising risks based on tolerability.

---

Chapter 6: Enterprise Risk and Black Swans

Flashcard 11:

• Question: What are the categories of Black Swan events?
• Answer: The categories include unknown unknowns (completely unforeseeable), unknown knowns (known by some but not others), and known but judged unlikely events.

Flashcard 12:

• Question: What is the role of High-Reliability Organizations (HROs) in managing Black Swans?
• Answer: HROs manage Black Swans by maintaining resilience, vigilance, and collective mindfulness, continuously learning from failures and building redundancies.

Information Security

NSM guidelines

Flashcard 13:

Which four categories are the NSM ICT Security Principles grouped into?

1. Identify – acquire and maintain an understanding of the organisation, including its management
   structures, management priorities, deliverables, ICT systems and users. This will ensure efficient
   implementation of the principles of the three other categories. The aim is to understand the organisation’s deliverables and services, determine which technological resources need to be protected, and identify roles and users at the organisation. This will allow the organisation to focus and prioritise the security measures in line with business needs and risk management strategy. The
   category also focuses on establishing processes to maintain this knowledge over time.
2. Protect and maintain – ensure appropriate protection of the ICT system and maintain security state over time and during changes. This category contains principles for establishing a secure state for the ICT system in order to withstand or limit damage from a cyberattack. This includes how the ICT system is planned, procured, built, configured and maintained.
3. Detect – detect and remove known vulnerabilities and threats, and establish security monitoring.
   The principles in this category focus on detecting and removing known vulnerabilities and threats by performing vulnerability assessments and monitoring the ICT system. The category also addresses how to detect irregularities in the desired, secure state by analysing data from the security monitoring.
4. Respond and recover – respond to security incidents effectively. The aim of these principles is to establish activities to respond to incidents. This means preparing for, assessing, controlling and responding to incidents, returning to a desired state, and improving security based on the experiences gained from the incident response (Norwegian National Security Authority 2024 Page 5)

Guest lecture Information security 1 SOPRASTERIA

Flashcard 14:

What is the CIA-Triad?

The three principles of information security: 1. Confidentiality 2. Availability 3. Integrity.

Flashcard 15:

How do we work with an information risk assessment?

1. Understanding the threat landscape specific for the organisation we are working
   for
2. Identify, prioritise, document, and report risks
3. Train and educate the organisation’s employees
4. Support during risk assessments

Flashcard 16:

The four threats that the national security authorities emphasise have the potential to cause challenges in the coming year.

1. Insider trading
2. Foreign Intelligence
3. Complex supply chains
4. Social manipulation

In my opinion, these last two are vulnerabilities, not treats, but hey, I don’t make the syllabus.

Flashcard 17:

What is a value assessment?
• Identify relevant values and interests that must be protected.
• What shall be protected (value) can be decided by law, regulation, or organisation.
• Which values that shall be protected will provide input on which consequence types
must be assessed.

Guest lecture Information security lecture 2

Flashcard 18:

What is Cyber Security?

Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. The goal is to safeguard data, maintain system integrity and ensure business continuity.

Flashcard 19:

Why does cybersecurity matter?

Rising cyber threats: The frequency and sophistication of cyber attacks have been increasing.

Financial and operational impact: Financial loss, business disruptions, damage to reputation.

Legal and Regulatory: Government and industry regulations impose cybersecurity regulations.

Flashcard 20:

What is social engineering?

A way to trick people into sharing private information or doing something that puts security at risk, often by playing on trust or emotions.

Flashcard 21:

What is ransomware?

Malicious software that encrypts company data

Flashcard 22:

What is a supply chain attack?

cyberattack targeting weaknesses in a supplier’s
system to infiltrate a larger organisation’s
network

Flashcard 23:

What is a cyber weapon?

Malware designed for targeted attacks with a
specific malicious intent

Flashcard 24:

What are the four main actors in the Cybersecurity Landscape?

Hackers: Black-hat, White-hat, and Grey-hat
hackers.
• Cybercriminals and Organized Crime:
Financially motivated attackers.
• Nation-State Actors: State-sponsored groups
focusing on espionage and sabotage.
• Hacktivists: Groups driven by social or political
motivations.

Flashcard 25:

What is an attack Vector?

An attack vector refers to the method or pathway that a malicious actor uses to gain unauthorized access to a system.

Flashcard 26:

Cybersecurity in Enterprise Risk Management (ERM); What are the four cyber Risk Categories?

Operational Risks: Disruption of
business processes or services.
• Financial Risks: Losses due to breaches,
fraud, or regulatory fines.
• Reputational Risks: Damage to brand
and customer trust.
• Compliance Risks: Failure to meet
regulatory or legal obligations

Flashcard 27:

4 Steps in a Cybersecurity Risk Assessment:

1. Identify Critical Assets and Information
2. Identify Potential Threats and
Vulnerabilities
3. Evaluate Impact and Likelihood
4. Prioritize and Document Risks

Flashcard 28:

5 Key Cybersecurity Metrics to Track:

•No. of incidents
• Mean Time to Detect
• Patch Management Metrics
• Training Metrics
• Audit Results

Previous exam questions

Flashcard 29:

Previous exam question: Define “Risk” and “Enterprise risk” in terms of overall qualitative definitions (10%)

Many definitions of risk. Some of the most common are:

• risk is the consequences of a future activity and associated uncertainties, based on
  something human values.
• risk is a deviation from a reference value and associated uncertainties.
• risk is the consequences of a future activity and associated uncertainties.

Enterprise risk can be understood as risk associated with an enterprise whose consequences are related to its principal objectives or the overall performance judged as important by the organisation.

Flashcard 30:

Previous exam question: A risk analyst has assigned the probability for an event A as P(A|K) = 0,2 in a risk assessment. Argue why this assignment should be supplemented with strength of knowledge (SoK) judgements. (10%)

Assigning a probability such as P(A∣K)=0.2P(A|K) = 0.2P(A∣K)=0.2 assumes that the likelihood of event A occurring is based on the analyst’s background knowledge (K). However, probability alone does not convey the reliability or robustness of the knowledge used in the assessment. This is where strength of knowledge (SoK) judgments play a critical role.

1. Evaluating the Reliability of the Probability:
   • SoK indicates whether the background knowledge (K) is strong, sufficient, or weak. For instance, if the probability is based on extensive data and well-established models, the SoK would be strong. Conversely, if the assessment is based on limited, subjective, or outdated information, the SoK would be weak.
   • Without SoK, the user of the risk assessment cannot gauge whether the assigned probability is robust or prone to significant uncertainty.
2. Addressing Uncertainties:
   • Probability assignments often involve inherent uncertainties. These could arise from incomplete data, unknown factors, or subjective interpretations. SoK judgments help identify and qualify these uncertainties, providing a clearer picture of the confidence level in the probability estimate.
3. Improving Decision-Making:
   • Risk assessments inform critical decisions. By supplementing probabilities with SoK, decision-makers can better understand the limitations and strengths of the risk evaluation. For example, a decision based on a probability with weak SoK might require additional caution or further validation steps.
4. Reducing Overconfidence in Probabilities:
   • Probabilities, especially when presented as numerical values, can give a false sense of precision. SoK acts as a counterbalance, emphasizing that the probability is conditional on the quality and scope of the knowledge used.

Flashcard 31:

Previous exam question: The curriculum defines three main strategies for risk-related decision-making, the first of which is a risk-based requirements strategy. What are the remaining two?

• Risk Based Requirement Strategy (when there is low uncertainties and high SK and GK)
• Risk Assessment Strategy (when there is good SK and GK, but not high, thus there may be
  some uncertainties)
• Cautionary (resilience/robustness) Strategy (when there is little of no SK or GK, thus high
  uncertainties)

Flashcard 32:

Previous exam question: Why must Enterprise risk management overrule Task risk management (TRM) if these two comes in conflict? Give a simple example to illustrate the idea. (10%)

Answer: ERM must overrule TRM because ERM focuses on achieving an organisation’s principal objectives, which are tied to its long-term strategic goals. TRM, on the other hand, focuses on managing risks at the task or operational level, which may not directly contribute to the overarching goals. Prioritising TRM over ERM can lead to suboptimisation, where short-term task objectives are met, but the organisation fails to achieve its broader mission.

Example:
Consider a sports retail store with the principal objective of generating profit through excellent customer service. Suppose theft becomes a significant issue, and TRM focuses solely on reducing theft by increasing surveillance and monitoring every customer. While this may address the immediate issue of theft, the excessive monitoring could alienate genuine customers, reducing sales and ultimately harming the store’s profitability. Here, ERM would refocus efforts on maintaining customer satisfaction while also implementing theft prevention measures that align with the overall goal of profitability.

This highlights that ERM ensures all actions align with the organisation’s strategic objectives, even if it means deprioritising certain task-specific risks.

Flashcard 33:

Previous exam question: What is the definition of a black swan event, and what are three categories of such events Pick one event category and give an example of how it can be confronted (15%)

A black swan event refers to a rare, unexpected occurrence with a significant impact that lies outside the realm of regular expectations and is difficult or impossible to predict based on existing knowledge.

Unknown Unknowns: Events that are completely unforeseen and unknown to everyone before they occur.

Unknown Knowns: Events known to some but not to the broader population or decision-makers, often due to information gaps or intelligence failures.

This can be addressed through High-Reliability Organisations (HROs), which promote collective mindfulness, meaning every team member actively identifies and responds to potential risks. The four HRO principles are Preoccupation with Failure, Reluctance to Simplify, Sensitivity to Operations, Commitment to Resilience and Deference to Expertise.

Known but Not Expected: Events that are widely recognised as possible but considered highly improbable, and thus preparations are often inadequate.