Elements of the Risk Management Process
Identify, analyze, respond, monitor. Plus the math the exam loves: SLE × ARO = ALE, inherent vs. residual risk, and when “accept” is different from “ignore.”
Risk management is the business language of security. Leadership does not want a list of vulnerabilities — they want a picture of how much loss the company faces, how likely each loss is, and what we propose to do about each one. The Security+ exam tests whether you can translate a technical finding into the four-part pipeline: identify the risk, analyze it (qualitative or quantitative), respond (transfer, accept, avoid, mitigate), and monitor through a living risk register.
The calculation side is small but heavily tested: SLE = AV × EF (single-loss expectancy = asset value × exposure factor) and ALE = SLE × ARO (annualized loss expectancy = SLE × annualized rate of occurrence). You are also expected to distinguish inherent risk (before controls) from residual risk (after controls), and to know that “accept” requires documented executive sign-off — it is not “ignore.”
Risk identification. Catalog assets, threats, and vulnerabilities; the output is a risk register. Identification can be ad hoc (event-driven — after an incident or major change), recurring (quarterly, annual), one-time (project-specific, like a pre-launch assessment), or continuous (real-time automation — CSPM, continuous control monitoring).
Risk analysis. Two flavors. Qualitative uses subjective ratings (high/medium/low) — fast, low cost, good enough for most decisions. Quantitative uses numeric and monetary values — slower, expensive, defensible in front of the board. Quantitative introduces: asset value (AV), exposure factor (EF) (% of asset value lost if the event occurs), single-loss expectancy (SLE) = AV × EF, annualized rate of occurrence (ARO) (expected events per year), and annualized loss expectancy (ALE) = SLE × ARO.
Risk register. A living document of identified risks — description, owner, likelihood, impact, response, status, review date. Key supporting concepts: key risk indicators (KRIs) are metrics that signal rising risk; risk owners are accountable for the response; risk threshold is the ceiling above which action becomes required; risk tolerance is the organization’s overall appetite.
Risk appetite. Three common postures: expansionary (aggressive, willing to accept risk for growth), conservative (risk-averse), neutral (balanced). Appetite shapes which responses are acceptable.
Risk response strategies (TAAM). Transfer — shift to a third party (cyber insurance, contractual indemnity). Accept — acknowledge and proceed, with formal executive sign-off; exemption is a documented one-time acceptance; exception is a temporary approved deviation. Avoid — decline to engage in the risky activity. Mitigate — implement controls that reduce likelihood, impact, or both.
Risk reporting. Rolled up to leadership and the board: summary, trending, material items, and KRIs. The goal is decision-support, not alert fatigue.
Business impact analysis (BIA). Quantifies the disruption cost of losing a business process. Key outputs: RTO (recovery time objective — target time to restore), RPO (recovery point objective — acceptable data-loss window), MTTR (mean time to repair — average time to fix), MTBF (mean time between failures — average uptime between failures). The exam tests RTO vs. RPO relentlessly: RTO is about downtime you can tolerate, RPO is about data loss you can tolerate.
Inherent vs. residual. Inherent risk is the risk before any controls are applied. Residual risk is what remains after controls. Questions often conflate the two — read for “before controls” vs. “after controls.”
SLE = Asset Value × Exposure Factor
ALE = SLE × ARO
SLE is per event. ALE is per year. ARO ties them together.
Asset value: $2,000 per laptop. Exposure factor: 100% if stolen. ARO: 0.05 (5% of laptops stolen per year) across 1,000 laptops.
SLE = $2,000 × 1.0 = $2,000
ARO (fleet) = 1,000 × 0.05 = 50 events/year
ALE = $2,000 × 50 = $100,000/year
Decision: if endpoint-encryption + MDM costs less than $100K/year and reduces EF from 100% to (say) 10% (data protected), the ALE drops to $10K/year — clear mitigation ROI.
| Strategy (TAAM) | What it does | Exam cue |
|---|---|---|
| Transfer | Shift loss to a third party | “Buy cyber insurance,” “contractual indemnity” |
| Accept | Acknowledge & proceed, with sign-off | “Executive approves,” “exemption/exception” |
| Avoid | Do not engage in the activity | “Decline to enter the market” |
| Mitigate | Reduce likelihood or impact via controls | “Deploy MFA,” “patch the CVE” |
| BIA Metric | Asks | Exam cue |
|---|---|---|
| RTO | How long can we be down? | “Restore within 4 hours” |
| RPO | How much data loss can we tolerate? | “No more than 15 min of transactions” |
| MTTR | How long does a repair typically take? | “Average time to fix” |
| MTBF | How long between failures? | “Reliability — uptime between incidents” |
Three exam patterns run 5.2: (1) do the SLE/ARO/ALE math when numbers are given; (2) match scenario to TAAM (insurance = transfer, decline market = avoid, MFA = mitigate, exec sign-off = accept); (3) RTO vs RPO — downtime vs. data-loss window.
A 2,000-person manufacturer is revising its cyber risk posture after three industry peers were hit by ransomware in the last year. The CFO wants to buy a larger cyber insurance policy and move on. The CISO wants to mitigate (EDR, segmentation, offline backups, IR retainers) before relying on insurance. The board meeting is in ten days.
Transfer vs. Mitigate — Ransomware Posture
Manufacturer · 2,000 employees · peer incidentsTransfer rarely stands alone. The canonical pattern is mitigate first (reduce the frequency and severity), then transfer the financial residual, then formally accept what remains — all documented in the risk register with the CEO or CRO signature on the acceptance. “Insurance is the whole plan” is the exam trap.
Insurers have caught on. Cyber policies now require evidence of MFA, EDR, backups, and IR plans before they will underwrite. Mitigation is often a precondition for transfer, not an alternative. When you present a risk decision to the board, lead with the combination: mitigate + transfer + accept the residual.
On the exam: “buy insurance” = transfer; “decline to do it” = avoid; “controls in place” = mitigate; “exec signs off and we proceed” = accept. Residual risk = what’s left after mitigation.
A manufacturing line is valued at $500,000. A specific attack scenario (ICS ransomware) would cause an estimated 40% loss of value if it occurs (production delay + restoration). Industry data suggests an annualized rate of occurrence of 0.25 (once every four years on average). You are presenting ALE to the CFO. Which figure is correct?
ALE = $200,000 per year
Computed as $500,000 × 40% = $200,000. Uses the single-loss figure as the annual figure.
ALE = $50,000 per year
Computed as SLE ($500,000 × 40% = $200,000) × ARO (0.25) = $50,000.
Option B is correct — ALE = SLE × ARO = $50,000/yr
Option B: SLE is the per-event loss ($500,000 × 0.40 = $200,000). ARO of 0.25 means one event every four years. ALE annualizes it: $200,000 × 0.25 = $50,000/yr. That’s the defensible number to compare against the cost of mitigation.
Option A’s trap: skipping the ARO multiplication. $200,000 is the SLE, not the ALE. Any answer that uses SLE as the annual figure is conflating the two. The exam rewards executing the second multiplication.
On the exam: always apply ARO. “Per event” → SLE. “Per year” → ALE. ALE is always ≤ SLE when ARO < 1, and ≥ SLE when ARO > 1.
5.2 questions test three patterns: (1) the math (SLE = AV × EF, ALE = SLE × ARO); (2) scenario-to-strategy mapping (TAAM: insurance→transfer, decline market→avoid, controls→mitigate, sign-off→accept); (3) BIA metrics (RTO=downtime, RPO=data loss). Any question with numbers — do the multiplications all the way through.
- A $60,000
- B $12,000
- C $80,000
- D $300,000
Correct: B. SLE = $80,000 × 0.75 = $60,000. ARO = 1/5 = 0.2 events per year. ALE = $60,000 × 0.2 = $12,000/yr.
A wrong: $60,000 is the SLE (per event), not the ALE.
C wrong: $80,000 is the full asset value, not a loss figure.
D wrong: Uses ARO of 5 instead of 0.2.
Source: CompTIA SY0-701 Objectives v5.0 — 5.2 Explain elements of the risk management process
- A Transfer
- B Accept
- C Avoid
- D Mitigate
Correct: C. Declining to engage in the activity that generates the risk is avoidance. Transfer shifts the impact (insurance). Accept acknowledges and proceeds. Mitigate applies controls.
A wrong: Nothing is being shifted to a third party.
B wrong: Acceptance proceeds; avoidance declines.
D wrong: No controls are being applied — the activity itself is not undertaken.
Source: CompTIA SY0-701 Objectives v5.0 — 5.2
- A RPO = 4 hours; RTO = 15 minutes
- B RTO = 4 hours; RPO = 15 minutes
- C MTTR = 4 hours; MTBF = 15 minutes
- D ALE = 4 hours; SLE = 15 minutes
Correct: B. RTO is the downtime tolerance (how long to restore). RPO is the data-loss tolerance (how much recent data we can lose). 4-hour restore and 15-minute data loss match RTO and RPO respectively.
A wrong: Swaps the definitions.
C wrong: MTTR/MTBF describe reliability, not planned objectives.
D wrong: ALE/SLE are monetary, not time.
Source: CompTIA SY0-701 Objectives v5.0 — 5.2