Risk Management Concepts
Identify, analyze, assess, prioritize, and implement risk management concepts
Risk management is the central decision mechanism in security — every security control exists to reduce risk. The core formula: Risk = Threat × Vulnerability × Impact.
Two analysis approaches: Quantitative (dollar values — SLE, ALE, ARO) and Qualitative (High/Medium/Low matrices). Four risk responses, remembered as MATA: Mitigate (reduce with controls), Accept (formally document), Transfer (insurance/contracts), Avoid (eliminate the activity).
The two analysis approaches deserve more detail: Qualitative uses categories (High/Medium/Low) and risk matrices — it is fast, subjective, and used when reliable data is limited. Quantitative uses dollar values (SLE, ALE, ARO) and requires reliable historical data to produce meaningful numbers. Most real-world organizations use a hybrid of both: qualitative to prioritize quickly, quantitative to justify budget for the top risks. The exam tests both approaches and expects you to identify which is being described.
The goal is never to eliminate risk. It is to reduce risk to an acceptable level, then have management formally accept the residual.
At a mature organization, quantitative risk analysis drives budget decisions. The formulas:
- SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
- ALE (Annualized Loss Expectancy) = SLE × ARO (Annualized Rate of Occurrence)
- Cost-benefit: a control is justified when its cost < (ALEbefore − ALEafter)
Example: A $1M e-commerce database has a 10% exposure factor and an ARO of 1. SLE = $100K. ALE = $100K. A WAF costing $50K/year drops ARO to 0.1, making new ALE = $10K. ALE reduction = $90K. Minus the $50K annual control cost = $40K net annual benefit. The control is justified because $50K < $90K in ALE reduction.
Qualitative analysis uses color-coded risk matrices (High/Medium/Low) when dollar values are unknown or impractical. Both approaches are valid — the exam tests whether you know which is which.
Risk frameworks guide how organizations structure their risk programs. Know these at a management level:
- NIST RMF (SP 800-37) — A 7-step lifecycle for federal systems: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. The U.S. government standard.
- ISO 27005 — The international standard for information security risk management. Aligns with ISO 27001 and provides a structured process: context establishment, risk identification, analysis, evaluation, and treatment.
- FAIR (Factor Analysis of Information Risk) — A quantitative model that breaks risk into measurable factors (threat event frequency, vulnerability, loss magnitude). Used to translate risk into financial terms for executive communication.
The risk register is the central tracking document. It is a living document that records every identified risk along with its assessment (likelihood + impact), chosen response (mitigate/accept/transfer/avoid), assigned owner, and current status. Management reviews the risk register regularly — it is not a one-time artifact. If a risk has no owner or the register hasn't been updated, the process is broken.
Residual risk is the risk that remains after controls are applied. This is critical: residual risk must be formally accepted by management. A signed acceptance means management understands and owns the remaining exposure. If management hasn't signed off, the risk management process is incomplete — the exam considers this a governance failure.
Risk assessment is not a one-time event. Continuous monitoring is required because the threat landscape changes, controls degrade over time, new vulnerabilities emerge, and business context shifts. The 2024 CISSP exam update emphasizes "continuous" in the monitoring requirement. Organizations must reassess risk on a regular cadence and whenever significant changes occur (new systems, new threats, mergers, regulatory changes).
| Formula | Definition | Example |
|---|---|---|
| SLE | Asset Value × Exposure Factor | $1M × 0.10 = $100K |
| ALE | SLE × ARO | $100K × 1 = $100K/yr |
| Benefit | ALEbefore − ALEafter − Control Cost | $100K − $10K − $50K = $40K |
| Response | Action | Example |
|---|---|---|
| Mitigate | Reduce risk with controls | Deploy a WAF to reduce web app attacks |
| Accept | Formally document and acknowledge | Management signs off on low-probability risk |
| Transfer | Shift to third party | Cyber insurance, outsource to managed provider |
| Avoid | Eliminate the activity entirely | Discontinue a high-risk legacy service |
| Approach | Method | Output | When to Use | Exam Note |
|---|---|---|---|---|
| Quantitative | Dollar values, formulas (AV, EF, ARO) | SLE, ALE, cost-benefit | Reliable historical data available | "Calculate the ALE" = quantitative |
| Qualitative | Categories (High/Med/Low), expert judgment | Risk matrix, prioritized list | Data limited, subjective, or early-stage | "Rank these risks" = qualitative |
| Hybrid | Combines both approaches | Prioritized list + financial context | Most real-world scenarios | Most common in practice |
"Eliminate risk" is ALWAYS wrong on the exam. The correct answer is "reduce to an acceptable level." Risk can never be fully eliminated — only managed. If you see "eliminate" or "remove all risk" in an answer choice, it's a distractor.
The CISO needs budget approval for a web application firewall. The CFO doesn't see the point.
Justifying the WAF
E-commerce company · $1M database · Budget reviewIn practice, quantitative analysis is harder than this. Getting accurate ARO numbers requires years of incident data. Many organizations use qualitative analysis (risk matrices) because they lack reliable frequency data. The exam expects you to know the formulas cold — real life is messier.
On the exam: If the question gives you dollar values and frequencies, it's testing quantitative analysis. If it describes a risk matrix or High/Med/Low ratings, it's qualitative. Don't mix them.
A vulnerability in your payment processing system has an ALE of $75K. The only vendor solution that addresses it costs $100K/year. No other commercial product covers this specific vulnerability.
Buy the $100K solution
Fix the vulnerability completely. Security is worth the investment — you can't put a price on protection.
Accept the risk or find a compensating control
A control should never cost more than the loss it prevents. Look for a cheaper alternative or formally accept the residual risk.
Option B is correct — controls must be cost-justified
Option B: Spending $100K to prevent a $75K loss is bad business. A security manager's job is to manage risk cost-effectively, not eliminate it at any price. The correct approach: look for a compensating control that costs less than $75K, or formally accept the residual risk with management sign-off.
Option A's kernel of truth: There are cases where compliance or regulatory requirements mandate a control regardless of cost-benefit. But the question says nothing about compliance — it's purely a risk management decision.
On the exam: if the control costs more than the ALE, the answer is never "buy it anyway." The answer is accept, transfer, or find a cheaper compensating control.
When you see asset values + exposure factors + frequencies: The exam is testing quantitative risk analysis. Calculate step by step: SLE first (AV × EF), then ALE (SLE × ARO). Watch for ARO tricks — "once every 2 years" = ARO of 0.5, not 2. "Twice a year" = ARO of 2, not 0.5. Read the frequency carefully.
- A $100,000
- B $50,000
- C $25,000
- D $250,000
Correct: B. SLE = $500,000 × 0.20 = $100,000. ARO = 0.5 (once every 2 years). ALE = $100,000 × 0.5 = $50,000. Option A ($100,000) is the SLE, not the ALE — a common trap. Option D uses ARO of 2.5 instead of 0.5.