Answer to each question should have at least 250 words.

1, Explain how an organization determines if it is spending too much on risk? At what point does managing risk become wasteful? Justify your opinions with a specific example.

2, What is the difference between applying risk measures for insurance purposes versus applying risk measures for compliance? Provide an example and explain how both have significant value to a business.

3, Explain the relationship between vulnerability, threat, and risk. Discuss how each fits into a risk assessment. Provide examples to illustrate your ideas.

4, Discuss the difference in the level of detail between a vulnerability assessment and a risk assessment. Explain how they are used to define the security posture of an organization. Provide examples to illustrate your ideas.

5, Review the Risk Management Process Flow (Figure 3.1, p. 49) in the Security Risk Management: Building an Information Security Risk Management Program From the Ground Up textbook. Identify who holds the primary responsibility of each step (information security team, business owner, and resource custodian). Explain why the roles are assigned this responsibility for each step. Discuss the difference between ownership and operation (one who does the work).

5, According to the Security Risk Management: Building an Information Security Risk Management Program From the Ground Up textbook, “there will be risks that can’t be mitigated at all, aren’t worth the effort to reduce the exposure any further, or just won’t be addressed in the short term due to other priorities” (p. 47). Provide a real-world example for each of these three scenarios and explain why the risk meets the criteria.

6, Explain how qualitative risk analysis may outweigh quantitative risk analysis in terms of risk management for an organization. Research a real-world example where the qualitative impact to an organization caused more damage than quantitative issues. How could this situation be mitigated to reduce future impact?

7, What is the difference between applying risk measures for insurance purposes versus applying risk measures for compliance? Provide an example and explain how both have significant value to a business.