Unit 1: Information Security Risk Analysis Module 0: Introduction No Questions Module 1: What is Risk? 1. Choose the answer that DOES NOT complete this sentence correctly. Risk

wispsyndicateSecurity

Feb 23, 2014 (3 years and 6 months ago)

105 views

Unit 1: Information Security Risk Analysis


Module 0: Introduction

No Questions


Module 1: What is Risk?


1. Choose the answer that DOES NOT complete this sentence correctly. Risk
can be conceptualized as:

a)

Feelings

b)

Religion*

c)

Analysis

d)

Politics


2. Risk is:

a)

Probability that a loss will be caused by an asset causing a threat

b)

Probability of threats causing vulnerabilities in assets

c)

Probability that a threat will exploit a vulnerability causing a loss*

d)

Probability that a stakeholder will have a perception of ris
k


3. Risk can always be calculated precisely and accurately. True or False?

a)

True

b)

False*


4. Which of these would NOT be a risk factor for walking down the street?

a)

Type of food previously eaten*

b)

Time of day

c)

Known/Unknown street

d)

Type of shoes being worn


5.

Risk calculations need to consider:

a)

Scientific Evidence

b)

Emotions

c)

None of the Above

d)

Both a and b*


6. When crossing the road, what is something that could qualify as an initiating
event?

a)

Finding a $20 bill

b)

Meeting a friend

c)

Tripping over a rock*

d)

Smelling so
me roses


7. To determine the initial aggregate risk, what values are calculated?

a)

Initiating events, consequences, and likelihood of failure*

b)

Initiating events and likelihood of consequences

c)

Likelihood of consequences and likelihood of failure

d)


Measures a
nd initiating events


8. Risk is only present within the domain of information security. True or False?

a)

True

b)

False*



Module 2: Terminology


1. Vulnerabilities are exploited by________________.

a)

Assets

b)

Threats*

c)

Controls

d)

Risk

2. ________________ are used to
diminish risk from threats.

a)

Assets

b)

Vulnerabilities

c)

Controls*

d)

Risk


3. To determine ________________ it is necessary to know the values of assets
as well as the vulnerabilities to threats.

a)

Assets

b)

Vulnerabilities

c)

Threats

d)

Controls*


4. Knowledge of security _
_______________ is necessary before deciding on
controls to implement.

a)

Enforcement

b)

Risk*

c)

Organization

d)

Personnel


5. Give the best potential threat for the asset type “legal”:

a)

Air Traffic Radar Failure

b)

Loss of Orders

c)

System Administrator’s Death

d)

Stolen Cred
it Card Numbers*


6. Give the best potential threat for the asset type “operational”:

a)

Stolen Credit Card Numbers

b)

Loss of Reputation

c)

Denial of Service*

d)

Loss of Trust


7. An unlocked door can be best classified as a(n):

a)

Asset

b)

Vulnerability*

c)

Threat

d)

Control


8. Unauthorized access to data can be best classified as a(n):

a)

Asset

b)

Vulnerability

c)

Threat*

d)

Control


9. The same item cannot be considered an asset, vulnerability, and threat. True
or False?

a)

True

b)

False*


10. If there are security risks, they relate to funct
ions and jobs to be performed as
well as tangible items with value. True or False?

a)

True*

b)

False


11. Information security risk analysis is difficult for several reasons including:

a)

Human factors

b)

Lack of data

c)

Introduction of new systems

d)

All of the above*


Mod
ule 3: Security Assessment


1.

What does performing a security assessment attempt to avoid?

a)

Loss of services

b)

Financial loss

c)

Loss of reputation

d)

All of the above*


2. An intrusive type of security assessment differs from a non
-
intrusive type in
that there a
re actual attempts to exploit security holes.

a)

True*

b)

False



3. Which of the following is the most time
-
intensive?

a)

Security Audit

b)

Risk Assessment

c)

Risk Analysis*

d)

They are all equally time
-
intensive


4. Which of the following would be used to check compliance

with HIPAA?

a)

Security Audit*

b)

Risk Assessment

c)

Risk Analysis

d)

None of the above


5. Which of the following would be used to get a baseline idea of how at risk an
organization is?

a)

Security Audit

b)

Risk Assessment*

c)

Risk Analysis

d)

None of the above


6. Getting insu
rance is an example of:

a)

Avoiding the risk

b)

Transferring the risk*

c)

Assuming the risk

d)

None of the above


7. Deciding not to buy a web server because of possible vulnerabilities is an
example of:

a)

Avoiding the risk*

b)

Transferring the risk

c)

Assuming the risk

d)

None
of the above


8. Ethical Hacking is also known as:

a)

Vulnerability scanning

b)

Vulnerability assessment*

c)

Penetration Testing

d)

Risk Analysis


9. What is a way of differentiating between security assessment types?

a)

Rules of engagement

b)

Legal liability

c)

Purpose of Ana
lysis

d)

All of the above*


Module 4: Methodology and Objectives


1. Specifying that an analysis will cover only a specific department indicates the
__________ of the analysis.

a)

Breadth*

b)

Depth

c)

Scope

d)

Baseline


2. Where the organization’s security is today is th
e ______________________.

a)

Breadth

b)

Depth

c)

Scope

d)

Baseline*


3. Identifying the assets, vulnerabilities, and threats is used to define the:

a)

Strategic Context

b)

Organizational Context

c)

Risk Management Context*

d)

Risk Evaluation Criteria


4. An understanding of agenc
y mission and goals is useful for defining:

a)

Strategic Context*

b)

Organizational Context

c)

Risk Management Context

d)

Risk Evaluation Criteria


5. Which of the following is NOT a step in developing a work plan?

a)

Information Gathering

b)

Defining Mission Statement*

c)

Thr
eat Assessment

d)

Recommendations


6. Which of these departments is necessary for taking part in a risk analysis?

a)

Business

b)

Technical

c)

Communications

d)

All of the above*


7. Knowledge of employees can be used as a(n):

a)

Strategic Context

b)

Information Source*

c)

Outsid
e Experts

d)

Standard


8. An organization must perform risk analysis continuously. True or False?

a)

True

b)

False*


9. What threat sources CANNOT be accurately determined by history?

a)

Nature

b)

Unintentional Human Error

c)

Technological Failure

d)

Adversarial*



Unit 2: Inf
ormation Security Risks


Module 1: Introduction

No Questions


Module 2: Malicious Code


1. Malicious code is:

a)

Software the spreads through the network

b)

Software that exploits code vulnerabilities

c)

None of the above

d)

All of the above*


2. A virus differs from
a worm in that:

a)

A worm needs to have user
-
interaction to propagate

b)

A worm can be a stand
-
alone application*

c)

A virus spreads automatically throughout a network

d)

A worm is easier to write than a virus


3. Which would NOT be a control for a virus would be:

a)

Ant
i
-
virus

b)

Trojan Horse*

c)

Heuristic Scanner

d)

Training


4. A rabbit:

a)

Consumes CPU cycles

b)

Activates at a certain time

c)

Replicates to exhaust resources*

d)

Actives under certain conditions


5. A logic bomb:

a)

Consumes CPU cycles

b)

Activates at a certain time

c)

Replicates to

exhaust resources

d)

Activates under certain conditions*


6. A time bomb

a)

Consumes CPU cycles

b)

Activates at a certain time*

c)

Replicates to exhaust resources

d)

Activates under certain conditions


7. Once a worm is released it is immediately becomes a serious threa
t. True or
False?

a)

True

b)

False*


7. A polymorphic virus

a)

Consists of multiple viruses executed at once

b)

Copies itself into various files each infection

c)

Changes prior to attaching to a program*

d)

Uses different programming languages to be written


8. Something th
at keeps a database of all program characteristics and checks for
modifications is called a:

a)

Scanner

b)

Change Detector*

c)

Cryptographic Check Summers

d)

Heuristic Scanner


9. The two parts of a virus are:

a)

Executable and Editor

b)

Replicator and Payload*

c)

Payload and
Scanner

d)

Replicator and Scanner


10. A computer running slowly or unexpected or frequent system failures may
indicate:

a)

Presence of a firewall

b)

Network Connectivity

c)

Presence of a worm*

d)

Replicator existence


Module 3: Denial of Service Attacks


1. Denial of Se
rvice can be compared to:

a)

Picking open a diary’s lock

b)

Blocking a driveway’s access to a roadway*

c)

Planting weeds in someone else’s garden

d)

Giving a present with a practical joke


2. The cost of denial of service attacks was what raking in the CSI/FBI 2004
su
rvey?

a)

First*

b)

Second

c)

Third

d)

Fourth


3. What attack sends greater than sixty
-
four kilobytes of datagrams to crash a
system?


a)

Mail Bomb

b)

Ping of Death*

c)

SYN Flood

d)

Smurf Attack


4. Which is NOT a good control for ping attacks?

a)

Setting filters to look for large pi
ng packets

b)

Disabling ICMP

c)

Getting and updating patches

d)

Disable cookies*


5. What is the “three
-
way handshake”?

a)

Method of deploying a ping attack

b)

Procedure used to open a connection*

c)

Web browser protocol

d)

Acknowledges source address of datagram


6. Which att
ack is specific to DNS?

a)

Query Overflow*

b)

Directed Broadcast Address

c)

Hostile Applets

d)

Key Server Attack


7. Which is NOT a good control for TCP SYN flood protection?

a)

Increase connection queue

b)

Firewall with SYN Protection

c)

Static Packet Filtering*

d)

Randomly clea
r connections with incomplete three
-
way handshake


8. What are characteristic results of a DoS attack?

a)

CPU resources at maximum usage

b)

Communication slows

c)

Network bandwidth is limited

d)

All of the above*


Module 4: Network Intrusion


1. What is NOT a type of
Spoofing?

a)

Email Spoofing

b)

Web Spoofing

c)

Protocol Spoofing*

d)

IP Spoofing


2. The man

in
-
the
-
middle attack consists of:

a)

An attacker inserting himself or herself as a proxy between a web server
and client while intercepting all communication*

b)

An attacker hacks i
nto a firewall and directs incoming and outgoing traffic

c)

An attacker sending fake email from one client to another

d)

None of the above


3. Sending an insulting email to your boss impersonating Bob (another
employee) by seeming to use his email address is cal
led:

a)

Email Spoofing*

b)

Web Spoofing

c)

Electronic Spoofing

d)

None of the above


4. A type of web spoofing is:

a)

ActiveX deployment

b)

Man
-
in
-
the
-
Middle Attack*

c)

Web Squatting

d)

Hyperlink Tagging


5. Why is tracking state with websites important?

a)

HTTP is stateless*

b)

HTTP i
s stateful

c)

FTP is stateless

d)

FTP is stateful


6. URL Session Tracking and Hidden Form Elements:

a)

Are all necessary to have a web form

b)

Control hacking by phishing sites

c)

Are ways to track state*

d)

Store hacker information


7. What is a method of protection again
st Web Spoofing?

a)

Choosing the password !38fa*3#2(_)Da!

b)

Protecting hard drive access

c)

Use of cookies that end after each session*

d)

Packet filtering


8. Someone getting the domain name
http://www.m1.com

instead of
http://www.ml.com

(Merrill Lynch) would fall into the category of what type of
spoofing?

a)

Email Spoofing

b)

Web Spoofing*

c)

IP Spoofing

d)

Electronic Spoofing


9. Exploiting a UNIX trust relationship is a type of:

a)

Email Spoofing

b)

Web Spoofi
ng

c)

IP Spoofing*

d)

Electronic Spoofing


10. Port 25 is the port used for which protocol?

a)

FTP

b)

HTTP

c)

SMTP*

d)

UDP


Module 5: Software Vulnerabilities


1. What does CIA
3

stands for?

a)

Confidentiality, Information, Asset Management, Availability,
Authentication

b)

Confide
ntiality, Integrity, Availability, Access Control, Authentication*

c)

Confidentiality, Integrity, Accessibility, Availability, Access Control

d)

Confidentiality, Information, Availability, Access Control, Authentication


2. What would be an appropriate counterme
asure for tunneling?

a)

Placing time stamps for systems within a file

b)

Using anti
-
virus

c)

Replacing hard disks

d)

Monitoring suspected access points*


3. What assumption by a programmer leads to buffer overflow attacks?

a)

Program takes up little hard drive space

b)

Prog
ram takes up limited memory*

c)

Program executes automatically

d)

Program contains few lines of code


4. Information and systems may be important because:

a)

It is personal*

b)

It is contained in a secret area

c)

It is owned by an important person

d)

It is encrypted


5. Bac
k doors can be inserted:

a)

Due to forgotten code removal

b)

For maintenance purposes

c)

Purposefully to create a hole

d)

All of the above*



Unit 3: Threats to Information Security Part 2


Module 0: Introduction

No Questions


Module 1: Password Protection


1. What id
entification is used on the Internet?

a)

IP Address

b)

Passwords

c)

Biometric Data

d)

All of the above*


2. Which Windows hashing method is more secure?

a)

LAN Manager Hash

b)

NT Hash*

c)

They are equally secure

d)

They are both obsolete


3. Which is NOT a type of password cracki
ng attack?

a)

Dictionary

b)

Lophtcrack*

c)

Brute Force

d)

Hybrid


4. Which hashing function truncates the function to eight characters?

a)

LAN Manager

b)

NT Hash

c)

DES*

d)

MD5


5. Which password attack is similar to trying all of the different combinations on a
combination lock?

a)

Dictionary

b)

Hybrid

c)

Brute Force*

d)

None of the Above


6. A dictionary attack is:

a)

An attack that deletes all of program dictionaries

b)

An attack that tries all different combinations of passwords

c)

Uses a file with words to compare hashes against*

d)

Erases hashes b
ased on dictionary words


7. Why is hashing effective?

a)

Password is not stored in plain
-
text

b)

Does not allow for backwards decryption

c)

None of the above

d)

Both a and b*


8. Hashing is more effective than salting because salting requires an additional
random pie
ce of data to be added to the data before hashing. True or False?

a)

True

b)

False*


9. Which password defense method prevents the dictionary attack from working
with the same word?

a)

Hashing

b)

Shadowing

c)

Salting*

d)

Iteration Count


10. What is the most tested of biom
etric authentication?

a)

Iris

b)

Fingerprint*

c)

Face

d)

Voice


11. Which is NOT an effective security control for password security?

a)

Implement SYSKEY

b)

Enforce strong passwords

c)

Password
-
protect the BIOS

d)

All of the above*


Module 2: Wireless Security


1. What is NOT a
denial of service attack?

a)

War Driving*

b)

Sleep Deprivation

c)

Jamming

d)

None of the Above


2. Someone taking the identity of a wireless access point or device is called:

a)

War Driving

b)

Spoofing*

c)

Sleep Deprivation

d)

Jamming


3. What needs to be collected to gain unauth
orized wireless access to a WEP
-
encrypted wireless router?

a)

SSID of AP, Client MAC, packets*

b)

SSID of AP, BSSID of AP, Client MAC

c)

BSSID of AP, Client MAC, packets

d)

BSSID of AP, packets, AP MAC


4. War Driving is:

a)

Accessing non
-
protected wireless access points

b)

Logging wireless access points*

c)

Disguising wireless access points as wireless hotspots

d)

None of the above


5. An example of a Sleep Deprivation attack is:

a)

Inserting an animated GIF within a website which does not appear to be
animated

b)

Starting a program th
at is a typical task, but modifying it to take up more
resources

c)

Starting a CPU
-
intensive task (e.g. infinite loop)

d)

All of the above*


6. Active scanning allows for logging of access point s that do not broadcast their
SSID in contrast to passive scanning.

True or False?

a)

True

b)

False*


7. Which is NOT a basic security measure of a wireless access point?

a)

MAC filtering

b)

Disabling broadcast of SSID

c)

Setting a BSSID*

d)

WEP Encryption


8. What does creating an evil twin allow?

a)

Stealing of credit card information

b)

Passw
ord stealing

c)

Both a and b*

d)

None of the above


9. A SSID is the mechanism for distinguishing:

a)

Client wireless network identification cards

b)

Wireless access points in the same area*

c)

Wireless access point network card

d)

All of the above


10. ARP Poisoning and Ma
n
-
in
-
the
-
Middle are both attacks for:

a)

Spoofing

b)

War Driving

c)

Denial of Service

d)

Eavesdropping*


Module 3: Unintentional Threats


1. An unintentional threat is not as dangerous as a malicious threat. True or
False?

a)

True

b)

False*


2. User error can be controlled
with the following:

a)

Comprehensive policies

b)

Segregation of duties

c)

Training

d)

All of the above*


3. Wireless connectivity can be most affected by which of the following threats?

a)

Storm*

b)

Humidity

c)

Smoke and Fire

d)

Heat


4. What is NOT a control for failure to outso
urce operations?

a)

Business Continuity Plan Implementation

b)

Uninterrupted Power Supply*

c)

File and System Backup

d)

Outsourcing Agreements


5. What is NOT vulnerability in loss or absence of key personnel?

a)

Family Relationships*

b)

Undocumented Procedures

c)

Lack of Succ
ession Planning

d)

No Replacements for Key Personnel


6. Environmental conditions are the same as natural disasters in terms of threats.
True or False?

a)

True

b)

False*


7. Failure of Communications Services can best be defined as:

a)

Not allowing messages to externa
l parties

b)

Disallowing communication between various sites

c)

Denying access to information, applications, and data on network devices

d)

All of the above*


8. The result of a loss of confidentiality of messages which are not protected and
the loss of availabilit
y to the intended recipient is caused by:

a)

Natural Disasters

b)

Equipment Malfunction

c)

Failure of Outsourcing

d)

Misrouting/Re
-
routing of Messages*


Module 4: Insider Threats


1. Who of the following is NOT an insider?

a)

Company CEO

b)

Terrorist working as a clerk

c)

Ac
countant being blackmailed

d)

None of the above*


2. A ________________ is an insider who is a threat because they do not care
about the consequences of their actions.

a)

Mole

b)

Cowboy*

c)

Disgruntled Insider

d)

Malicious Employee


3. Which of the following is NOT a vul
nerability, which facilitates insider threats?

a)

Poor physical security

b)

Misrouting/re
-
routing of messages*

c)

Traveling laptops and mobile devices

d)

Acceptable use policies


4.To protect against insider threats, the following should be done:

a)

Segment the security
architecture

b)

Keep training materials up
-
to
-
date

c)

Enforce policies fairly and swiftly

d)

All of the above*


5. Identification, containment, and recovery are all examples of:

a)

Protection Strategies*

b)

Protection Tactics

c)

Penetration Testing

d)

Social Engineering


6. Ex
ternal threats are more powerful than insider threats. True or False?

a)

True

b)

False*


Module 5: Miscellaneous Threats


1. Dumpster Diving, Shoulder Surfing and Browsing are all types of:

a)

Spoofing

b)

Social Engineering*

c)

Malfunction

d)

Pirated Software


2. __________
____________ is possible because unauthorized system access
enables viewing, alteration or destruction of data or software.

a)

Masquerade

b)

Digital Snooping

c)

Repudiation

d)

Unauthorized Software Changes*


3. Pirated Software exploits the following vulnerabilities:

a)

Ineffective software auditing

b)

Lack of software usage policy

c)

Unrestricted copying of software

d)

All of the above*


4. Controls for digital snooping do NOT include:

a)

Employing data encryption

b)

Implementation of keyloggers*

c)

Correlate user identification with shif
t times

d)

Limit physical access to network


5. Accessing a computer using another user’s identity is called:

a)

Digital Snooping

b)

Dumpster Diving

c)

Repudiation

d)

Masquerade*


Module 6: Summary

No Questions


Unit 4: Qualitative Risk Analysis


Module 0: Introduction

N
o Questions


Module 1: Risk Analysis: Qualitative Analysis


1. What does NOT make information security risk analysis difficult?

a)

Increased security capacity*

b)

Introduction of new assets

c)

Discovery of vulnerabilities

d)

Creation and evolution of threats


2. Risk
analysis solely involves the technological aspects of information security.
True or False?

a)

True

b)

False*


3. Risk analysis comes in this form:

a)

Qualitative

b)

Quantitative

c)

Mix of Qualitative and Quantitative

d)

All of the above*


4. Qualitative risk analysis uses r
elative comparisons of risk to determine
prioritization of controls and risk posture. True or False?

a)

True*

b)

False


5. Select a benefit of qualitative risk analysis:

a)

Ability to optimize risk

b)

Allows for accurate valuation of tangible assets

c)

No need for extens
ive data collection*

d)

Needs involvement of personnel time


Module 2: Determine Assets and Vulnerabilities


1. Intangible assets are easier to obtain accurate values for than tangible assets.
True or False?

a)

True

b)

False*


2. Select the non
-
tangible asset:

a)

Serv
ers

b)

Network Infrastructure

c)

Personnel*

d)

Revenue


3. Intangible assets should not be assessed when determining risk. True or
False?

a)

True

b)

False*


4. A specific asset:

a)

Is only affected by one vulnerability

b)

Can have more than one vulnerability*

c)

Can not also be l
isted as a vulnerability

d)

None of the above


5. Vulnerability is usually defined in terms of these three aspects:

a)

Confidentiality, Interoperability, Accessibility

b)

Compatibility, Integrity, Availability

c)

Confidentiality, Integrity, Availability*

d)

Confidentiali
ty, Interoperability, Availability


Module 3: Determine Threats and Controls


1. Categories of threats include the following:

a)

Malicious

b)

Unintentional

c)

Physical

d)

All of the above*


2. Security controls are NOT meant to do the following:

a)

Protect

b)

Detect

c)

Defect*

d)

Respond


3. Security awareness and training, business continuity management and
segregation of duties are what types of controls?

a)

Organizational and Management*

b)

Physical and Environmental

c)

Operational

d)

Technical


4. Intrusion detection, secure logon practi
ces, logical access control and audit
trails are examples of what types of controls?

a)

Organizational and Management

b)

Physical and Environmental

c)

Operational

d)

Technical*


5. Backing up data, software development testing environments, and systems
acceptance test
ing are examples of what types of controls?

a)

Organizational and Management

b)

Physical and Environmental

c)

Operational*

d)

Technical


Module 4: Matrix
-
Based Approach


1. Controls are used to:

a)

Determine risk posture

b)

Analyze threats

c)

Reduce exposure cost*

d)

Project sec
urity needs


2. The total risk posture is equal to the aggregation of individual risks to an
organization. True or False?

a)

True*

b)

False


3. Using Low Medium and High is an example of what type of evaluation?

a)

Qualitative*

b)

Quantitative

c)

Both a and b

d)

None of the

above


4. The risk analysis methodology provided offers:

a)

Ability to work with partial data

b)

Comparison of risk posture

c)

Transparency in the risk analysis process

d)

All of the above*


5. Optimization is only effective when quantitative methodology is used. Tru
e or
False?

a)

True*

b)

False


Module 5: Case Study

No Questions


Module 6: Summary

No Questions


Unit 5: Quantitative Risk Analysis


Module 0: Introduction

Module 1: Quantitative Risk Analysis and ALE

1. Quantitative risk analysis is different from qualitative

risk analysis in that it
uses statistical data and computed numerical values to determine risk. True or
False?

a)

True*

b)

False


2. Likelihood of Exploitation is the likelihood that something will evade controls.
Which are three of the ways that probability ca
n be computed?

a)

Classical, Frequency, an Subjective*

b)

Expert Judgment, Classical, and Probability

c)

Modern, Hybrid, and Classical

d)

None of the above.


3. Determining likelihood on a scale of 1
-
10 is most like which approach?

a)

Delphi*

b)

Normalized

c)

Both Delphi and
Normalized

d)

None of the above


4. What is risk exposure?

a)

Annual Loss Expectancy

b)

Loss X Risk Probability

c)

Risk Impact X Risk Probability

d)

All of the above*


5. _____________________ computes risk using the probability of an event
occurring over one year.

a)

Sing
le Loss Expectancy

b)

Annualized Rate of Occurrence

c)

Annualized Loss Expectancy*

d)

None of the above



Module 2: Case Study

No Questions


Module 3: Cost Benefit Analysis and Regression

1. After a successful choice of relevant controls, the exposure before contro
ls
should be lower than the exposure after controls. True or False?

a)

True

b)

False*


2. Risk leverage is the difference in the ____________________ divided by the
cost of reducing the risk.

a)

Potential Risk Impact

b)

Risk Exposure*

c)

Cost
-
Benefit

d)

Exposure After Contr
ols


3. According to the decision tree in Example 5, it is safer to do regression testing
than to not do regression testing. True or False?

a)

True*

b)

False


4. According to the decision tree in Example 5, the resulting loss associated
from doing a regression

test and finding a critical fault is:

a)

0.5 Million*

b)

0.375 Million

c)

30 Million

d)

1.500 Million


5. Costs are associated with:

a)

Potential Risk Impact

b)

Reducing Risk Impact

c)

All of the above*

d)

None of the above


Module 4: Modeling Uncertainties

1. Uncertainty only e
xists in qualitative risk assessment. True or False?

a)

True

b)

False*


2. To deal with uncertainty, _________________________ is used.

a)

Risk Metric

b)

Simulation*

c)

Normalization

d)

Probability


3. The Monte Carlo Simulation approach involves this step:

a)

Histogram creati
on for risk and updated risk

b)

Performing of a sensitivity analysis

c)

Risk model development

d)

All of the above*


4. What software tool was used to perform this analysis?

a)

Word

b)

Excel*

c)

Access

d)

PowerPoint


5. The risk metric is:

a)

Determined by the value of its indepe
ndent variables

b)

A function of the probability distribution of each random variable*

c)

All of the above

d)

None of the above


Module 5: Summary

No Questions