Risk Management

• You decide to carry an extra laptop; if your main laptop fails, the second laptop will be ready. What would you call this response to risk?

Risk Reduction

• You think your laptop has never failed before, and the chances of failing now are too slim. You decide not to take any extra actions. What do you call this response to risk?

Risk Acceptance

• What do you call the potential for a loss or an incident that may harm the confidentiality, integrity or availability of an organisation’s information assets?

Risk

• What do you call a weakness an attacker could exploit to gain unauthorised access to a system or data?

Vulnerability

• What do you consider a business laptop?

Asset

• Ransomware has become a lucrative business. From the perspective of legal business, how do you classify ransomware groups?

Threat

• What is the name of the risk assessment methodology developed by NIST?

NIST SP 800-30

• Click on View Site. Decide whether each of the suggested safeguards (controls) is justified. Follow the instructions to retrieve the flag.

THM{Excellent_Risk_Management}

• You want to confirm whether the new policy enforcing laptop disk encryption is helping mitigate data breach risk. What is it that you are monitoring in this case?

Effectiveness

• You are keeping an eye on new regulations and laws. What is it that you are monitoring?

Compliance

• Click on View Site and follow the instructions to retrieve the flag. Remember that your decision should be based on the value of the safeguard to the organisation, which is calculated as follows:

ValueofSafeguard = ALEbeforeSafeguard − ALEafterSafeguard − AnnualCostSafeguard

THM{OFFICE_RISK_MANAGED}