Study Guide
Risk Management Guide for CompTIA Security+: A Complete Walkthrough
Risk management is one of the most practical topics on the Security+ exam. Learn how to identify, assess, analyze, and mitigate risks using qualitative and quantitative methods.
The Risk Management Process
Risk management follows a structured process: Risk identification — identify assets, threats, and vulnerabilities that could affect the organization. Risk assessment — evaluate the likelihood and potential impact of each risk. Risk analysis — quantify or qualify the risk level to prioritize. Risk mitigation — apply controls to reduce risk to an acceptable level. Risk monitoring — continuously reassess risks and control effectiveness.
The fundamental risk formula: Risk = Threat × Vulnerability × Impact. A risk exists only when a threat can exploit a vulnerability to cause harm. If any element is zero, there is no risk.
Qualitative vs Quantitative Risk Analysis
Qualitative risk analysis uses subjective judgments to rank risks by probability and impact. Output: a risk matrix with Low, Medium, and High rankings. Tools: Delphi technique (expert consensus), brainstorming, surveys, and scenario analysis. Fast and easy but depends on assessor experience.
Quantitative risk analysis uses numerical values and formulas. Key metrics: SLE (Single Loss Expectancy) = Asset Value × Exposure Factor — the cost of a single incident. ARO (Annualized Rate of Occurrence) — how many times per year the incident is expected. ALE (Annualized Loss Expectancy) = SLE × ARO — the yearly expected cost.
Example: A server worth $50,000 has an exposure factor of 40% ($20,000 SLE). Phishing attacks are expected 4 times per year (ARO = 4). ALE = $20,000 × 4 = $80,000. If a security control costs $30,000/year to implement and reduces ARO to 1, the new ALE is $20,000. Total cost with control: $30,000 + $20,000 = $50,000 — a savings of $30,000/year.
Business Impact Analysis (BIA)
A BIA identifies critical business functions and determines the impact of their disruption. Key outputs:
RTO (Recovery Time Objective) — maximum acceptable downtime. How quickly must a system be restored? Example: e-commerce site RTO = 4 hours.
RPO (Recovery Point Objective) — maximum acceptable data loss measured in time. Example: RPO = 1 hour means up to 1 hour of data could be lost.
MTD (Maximum Tolerable Downtime) — the total time a business function can be unavailable before causing irreparable harm.
The BIA also identifies: critical systems and dependencies, financial and operational impacts of disruption, regulatory compliance requirements, and recovery priorities (which systems to restore first).
Risk Responses
Once risks are identified and analyzed, organizations choose a response: Risk Mitigation (Reduction) — apply controls to reduce likelihood or impact. Most common response. Example: installing a firewall to reduce network intrusion risk.
Risk Transfer — shift financial burden to a third party. Example: cybersecurity insurance, outsourcing to a managed security provider.
Risk Acceptance — acknowledge the risk and choose not to mitigate. Used when mitigation cost exceeds potential loss. Must be documented and approved by management.
Risk Avoidance — eliminate the risk by discontinuing the activity. Example: shutting down a legacy system instead of patching it.
Risk Register — a document that records all identified risks, their assessment, planned responses, and status. The risk register is a living document, updated throughout the risk management process.