Cyber Security (BD308) – Assignment Week 10 – Syafira Aulia

Module Questions 10

1. What is the difference between a vulnerability, a threat, and a risk?

Answer :

To manage security effectively, a business must distinguish between these three terms. A Vulnerability is a specific weakness in an information system, security procedure, or internal control (e.g., an unpatched software bug). A Threat is any potential danger that could exploit that vulnerability (e.g., a hacker or a natural disaster). Risk is the intersection of the two; it is the mathematical likelihood that a threat will exploit a vulnerability and the resulting impact (financial or reputational) on the business.

2. Describe the four main strategies for treating risk (Accept, Avoid, Mitigate, Transfer). Provide a business example for each.

Answer :

Once a risk is identified, a business must decide how to handle it using one of these four strategies:

  • Mitigate: Implementing controls to reduce the likelihood or impact (e.g., installing a firewall to reduce the risk of a hack).
  • Transfer: Shifting the financial impact to a third party (e.g., purchasing Cyber Insurance).
  • Avoid: Eliminating the risk entirely by stopping the activity (e.g., a business deciding not to store credit card data to avoid the risk of a breach).
  • Accept: Acknowledging the risk but doing nothing because the cost of fixing it is higher than the potential loss (e.g., a small startup accepting the risk of a minor website glitch that only happens once a year).

3. Why is it useful for a business to adopt an established security framework like NIST CSF or ISO 27001?

Answer :

Adopting an established framework like NIST CSF or ISO 27001 is useful because it provides a proven, standardized “roadmap” for security. Instead of guessing what to protect, these frameworks offer a comprehensive list of best practices that ensure no area is overlooked. For a digital business, following these frameworks increases stakeholder trust, ensures regulatory compliance, and provides a common language for discussing security risks with investors, partners, and customers.

 

Status: 100% terpenuhi

Keterangan Sudah mengerjakan tugas dengan baik dan benar

Previous Post Previous Post
Newer Post Newer Post

Leave a comment