Risky Business
Response Ready
Pen Test Playground
Risky Numbers
Contractual Conundrums
100

The cyclical process of identifying, assessing, analyzing, and responding to risks.

What is Risk Management?

100

Determining that a risk is within the organization’s appetite and no countermeasures other than ongoing monitoring is needed.

What is Risk Acceptance?

100

The “hostile” or attacking team in a penetration test or incident response exercise.

What is Offensive Penetration Testing?

100

The amount that would be lost in a single occurrence of a particular risk factor.

What is Single Loss Expectancy (SLE)?

100

A document that defines the expectations for a specific business arrangement. 

What is a Statement of Work (SOW)/Work Order (WO)?

200

Within overall risk assessment, specific process of listing sources of risk due to threats and vulnerabilities.

What is Risk Identification?

200

Reducing risk to fit within an organization’s willingness to accept risk.

What is Risk Mitigation (or Remediation)?

200

The defensive team in a penetration test or incident response exercise.

What is Defensive Penetration Testing?

200

The total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE by the annual rate of occurrence (ARO).

What is Annualized Loss Expectancy (ALE)?

200

A contract that establishes precedence and guidelines for any business documents that are executed between two parties.

What is a Master Service Agreement (MSA)?

300

Process for qualifying or quantifying the likelihood and impact of a factor.

What is Risk Analysis?

300

In risk mitigation, the response of deploying security controls to reduce the likelihood and/or impact of a threat scenario.

What is Risk Deterrence (or Reduction)?

300

Assessment techniques that extend to site and other physical security systems.

What is Physical Penetration Testing?

300

In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

What is the Annualized Rate of Occurrence (ARO)?

300

An agreement that sets the service requirements and expectations between a consumer and a provider.

What is a Service-Level Agreement (SLA)?

400

The process of identifying risks, analyzing them, developing a response strategy for them, and mitigating their future impact.

What is Risk Assessment?

400

In risk mitigation, the practice of ceasing activity that presents risk.

What is Risk Avoidance?

400

A holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization’s security operations.

What is Integrated Penetration Testing?

400

Metric for a device or component that predicts the expected time between failures.

What is Mean Time Between Failures (MTBF)?

400

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

What is a Memorandum of Understanding (MOU)?

500

 A periodic summary of relevant information about a project’s current risks. It provides a summarized overview of known risks, realized risks, and their impact on the organization.

What is Risk Reporting? 

500

In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

What is Risk Transference (or Sharing)?

500

Penetration testing techniques that interact with target systems directly.

What is Active Reconnaissance?

500

Metric representing average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.

What is Mean Time to Repair (MTTR)?

500

Legal document forming the basis for two parties to cooperate without a formal contract (a cooperative agreement). MOAs are often used by public bodies.

What is a Memorandum of Agreement (MOA)?

600

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

What is Enterprise Risk Management (ERM)?

600

A category of risk management that uses alternate mitigating controls to control an accepted risk factor.

What is a Risk Exception?

600

Penetration testing techniques that do not interact with target systems directly.

What is Passive Reconnaissance?

600

The maximum time allowed to restore a system after a failure event.

What is Recovery Time Objective (RTO)?

600

An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.

What is a Nondisclosure Agreement (NDA)?

700

A document highlighting the results of risk assessments in an easily comprehensible format (such as a “traffic light” grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

What is a Risk Register?

700

A category of risk management that accepts an unmitigated risk factor.

What is a Risk Exemption?

700

A definition of how a pen test will be executed and what constraints will be in place. This provides the pen tester with guidelines to consult as they conduct their tests so that they don’t have to constantly ask management for permission to do something.

What are the Rules of Engagement (RoE)?

700

The longest period that an organization can tolerate lost data being unrecoverable.

What is Recovery Point Objective (RPO)?

700

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

What is a Business Partnership Agreement (BPA)?

800

The method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occurring.

What are Key Risk Indicators (KRIs)?

800

Risk that remains even after controls are put into place.

What is Residual Risk?

800

The longest period that a process can be inoperable without causing irrevocable business failure.

What is Maximum Tolerable Downtime (MTD)?

800

A legal principal that a subject has used best practice or reasonable care when setting up, configuring, and maintaining a system.

What is Due Diligence?

900

A graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

What is a Heat Map Risk Matrix?

900

Risk that an event will pose if no controls are put in place to mitigate it.

What is Inherent Risk?

900

In disaster recovery, time additional to the RTO of individual systems to perform reintegration and testing of a restored or upgraded system following an event.

What is Work Recovery Time (WRT)?

900

In vendor management, structured means of obtaining consistent information, enabling more effective risk analysis and comparison.

What is a Questionnaire?

1000

Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

What is a Business Impact Analysis (BIA)?

1000

 Determines the thresholds that separate different levels of risk.

What is Risk Tolerance?

1000

In quantitative risk analysis, the chance of an event that is expressed as a percentage.

What is Probability?

1000

When an individual or organization has investments or obligations that could compromise their ability to act objectively, impartially, or in the best interest of another party.

What is a Conflict of Interest?

M
e
n
u