WOLF//SEC
← Domain 5
OBJECTIVE 5.2 Explain

Explain elements of the risk management process

Risk management is the continuous process of identifying, assessing, and responding to threats. Every security control exists because someone decided the risk justified the cost. This objective is math-heavy by Security+ standards — know the formulas.

Risk Concepts

Risk

The probability of a threat exploiting a vulnerability multiplied by the resulting impact.

Risk = Threat × Vulnerability × Impact

Threat

Any potential event that could cause harm. Threat actors (covered in 2.1) and natural disasters.

Vulnerability

A weakness that could be exploited (covered in 2.3).

Impact

The damage caused if the risk is realized — financial loss, reputation damage, regulatory penalties, operational disruption.

Likelihood

The probability that a threat will exploit a vulnerability. Ranges from rare to almost certain.

Risk Assessment

Qualitative

Subjective assessment using categories rather than numbers.

  • Likelihood: Low / Medium / High
  • Impact: Low / Medium / High
  • Risk matrix: Plot likelihood vs. impact on a grid to prioritize risks
  • Faster and easier but less precise. Good for initial prioritization.

Quantitative

Assigns dollar values to risk components.

Key formulas:

TermFormulaMeaning
AV (Asset Value)Dollar value of the asset
EF (Exposure Factor)Percentage of asset lost in a single event (0-100%)
SLE (Single Loss Expectancy)AV × EFDollar loss per incident
ARO (Annualized Rate of Occurrence)How many times per year the event is expected
ALE (Annualized Loss Expectancy)SLE × AROExpected yearly loss

Example: Server worth $50,000 (AV). Fire would destroy 80% (EF). SLE = $40,000. Fires expected once per 10 years (ARO = 0.1). ALE = $4,000/year. If a fire suppression system costs $3,000/year, it’s worth the investment.

Exam tip: Know how to calculate SLE and ALE. These are frequently tested.

Risk Response Strategies

Avoid

Eliminate the risk entirely by eliminating the activity or asset.

  • Don’t store data you don’t need. Don’t run services you don’t use.
  • Most effective but may eliminate business opportunity too.

Transfer (Share)

Shift the financial impact to a third party.

  • Cyber insurance: Covers costs of breach response, legal fees, regulatory fines
  • Outsourcing: Transfer operational risk to a service provider (they handle security)
  • Transfers financial impact, not accountability. You’re still responsible to your customers.

Mitigate (Reduce)

Implement controls to reduce likelihood or impact.

  • Most common response. Install firewalls, encrypt data, train users, patch systems.
  • Controls have cost — the spend should be proportional to the risk reduction.

Accept

Acknowledge the risk and proceed without additional controls.

  • Appropriate when the cost of mitigation exceeds the potential loss
  • Must be a documented, conscious decision by management — not ignorance or neglect
  • Residual risk (risk remaining after controls) is always accepted to some degree

Risk Appetite and Tolerance

Risk Appetite

The level of risk an organization is willing to accept to achieve its objectives. Set by executive leadership/board.

  • Conservative org (healthcare, finance): low risk appetite
  • Startup: higher risk appetite for speed to market

Risk Tolerance

The acceptable variation from the risk appetite for specific areas.

  • “We accept moderate risk for IT systems but zero tolerance for patient data exposure.”

Risk Threshold

The specific point at which risk becomes unacceptable and requires action.

Risk Register

A documented list of identified risks with:

  • Description of each risk
  • Likelihood and impact assessment
  • Current controls in place
  • Risk owner (person accountable)
  • Response strategy
  • Status and review dates

Living document — reviewed and updated regularly. The primary artifact of risk management.

Business Impact Analysis (BIA)

Identifies critical business functions and the impact of their disruption.

Key metrics defined by BIA:

  • RTO (Recovery Time Objective): Maximum acceptable downtime
  • RPO (Recovery Point Objective): Maximum acceptable data loss
  • MTBF (Mean Time Between Failures): Average uptime between failures
  • MTTR (Mean Time to Repair): Average time to restore after failure

BIA output drives:

  • Which systems get the most resilience investment
  • Recovery site selection (hot/warm/cold)
  • Backup frequency and retention

Key Risk Indicators (KRIs)

Metrics that signal increasing risk:

  • Number of unpatched critical vulnerabilities
  • Phishing click rates trending upward
  • Increase in failed login attempts
  • Compliance audit findings increasing

Offensive Context

Risk management from the offensive perspective is target selection. An attacker evaluates targets the same way a risk assessor evaluates threats — what’s the likelihood of success (vulnerability + exposure) and what’s the payoff (asset value)? Organizations that do risk management well make themselves expensive targets with low payoff. Organizations that don’t make themselves cheap targets with high payoff. The attacker’s ROI calculation is your risk equation in reverse.