Risk Management in Cybersecurity: Assessment, Analysis, and Mitigation
Risk management is the process of identifying, assessing, and prioritizing risks, followed by coordinated application of resources to minimize their impact. It's a core domain of the Security+ exam.
The Risk Management Process
Risk management follows a structured process: (1) Identify assets and threats — determine what needs protection and what threatens it, (2) Assess risk — evaluate the likelihood and impact of each threat, (3) Analyze risk — quantify or qualify the risk level, (4) Mitigate risk — apply controls to reduce risk to an acceptable level, (5) Monitor and review — continuously reassess risks and control effectiveness.
Risk = Threat × Vulnerability × Impact. A risk exists only when a threat can exploit a vulnerability to cause harm.
- Risk = Threat × Vulnerability × Impact
- Five-step process: Identify, Assess, Analyze, Mitigate, Monitor
- Risk can never be eliminated entirely — only reduced to an acceptable level
- Risk appetite determines how much risk an organization accepts
Qualitative vs Quantitative Risk Analysis
Qualitative risk analysis uses subjective judgments to prioritize risks based on probability and impact. Risks are often ranked on a matrix as Low, Medium, or High. Common tools include Delphi technique (expert consensus), brainstorming, and scenario analysis. Qualitative analysis is faster but depends on the experience of the assessors.
Quantitative risk analysis uses numerical values and formulas to calculate risk in monetary terms. Key formulas:
SLE (Single Loss Expectancy) = Asset Value × Exposure Factor (percentage of asset lost in one incident)
ARO (Annualized Rate of Occurrence) = how many times the incident is expected per year
ALE (Annualized Loss Expectancy) = SLE × ARO
Quantitative analysis provides concrete dollar figures but requires more data and is slower to perform.
- Qualitative: based on judgment and experience — outputs Low/Medium/High rankings
- Quantitative: based on monetary formulas — SLE, ARO, ALE
- SLE = Asset Value × Exposure Factor
- ALE = SLE × ARO
- Most organizations use a combination of both methods
Business Impact Analysis (BIA)
A Business Impact Analysis (BIA) identifies critical business functions and determines the impact of their disruption. The BIA produces two key metrics:
RTO (Recovery Time Objective) — the maximum acceptable time a system can be down after an incident. For example, an e-commerce site might have an RTO of 4 hours.
RPO (Recovery Point Objective) — the maximum acceptable data loss measured in time. For example, an RPO of 1 hour means up to 1 hour of data could be lost.
The BIA also identifies critical systems, dependencies between systems, and the financial and operational impacts of disruptions.
- BIA identifies critical functions and their recovery priorities
- RTO = how quickly must the system be restored? (time-based)
- RPO = how much data loss is acceptable? (time-based, not data volume)
- Shorter RTO/RPO = higher cost (requires more redundancy)
Risk Mitigation Strategies
Once risks are identified and analyzed, organizations choose one of four responses:
Risk Mitigation (Reduction) — applying controls to reduce the likelihood or impact of a risk. Example: installing firewalls to reduce the risk of network intrusion.
Risk Transfer — shifting the financial burden of a risk to a third party. Example: cybersecurity insurance.
Risk Acceptance — acknowledging the risk and choosing to accept it without mitigation. Often used when the cost of mitigation exceeds the potential loss.
Risk Avoidance — eliminating the risk by discontinuing the activity that creates it. Example: shutting down a vulnerable legacy system rather than patching it.
- Mitigation: reduce risk with controls (most common)
- Transfer: shift risk to a third party (insurance, outsourcing)
- Acceptance: acknowledge and monitor risk (documented in risk register)
- Avoidance: eliminate the activity causing the risk
Exam Tip
Be ready to calculate ALE = SLE × ARO — you may see these on the exam. Understand RTO vs RPO: RTO is time to restore (uptime), RPO is acceptable data loss (backup frequency). Know the four risk responses and when each is appropriate.