Security+

Exam SY0-601

Chapter 34 Risk Management

1
 Chapter 34 (Domain 5.4)
Learning Objectives

• Explore risk management concepts

• Examine processes used in risk management

2
 RISK MANAGEMENT

• Risk management is a core business function of an enterprise

because it is through the risk management process that an
enterprise can maximize its return on investments.

• Understanding the business impact of operations associated

with the enterprise is key for business success.

• This can be accomplished using a business impact analysis.

• Using the data from the analysis, coupled with a threat analysis
and a risk assessment process, the enterprise can come to an
understanding of the sources of the risk elements it faces and
their level of intensity. 3
 RISK TYPES

• External threats

• Come from outside the organization and, by definition, begin

without access to the system.

• Access is reserved for users who have a business need to

know and have authorized accounts on the system.

• Outsiders must first hijack one of these accounts.

• This extra step and the reliance on external connections

typically make external attackers easier to detect. 4
 RISK TYPES

• Internal threats
• Include disgruntled employees and well-meaning employees
who make mistakes or have an accident. Internal threats tend to
be more damaging, as the perpetrator has already been granted
some form of access.

• The risk is related to the level of access and the value of the
asset being worked on.

• For instance, if a system administrator working on the domain

controller accidently erases a critical value and crashes the
system, it can be just as costly as an unauthorized outsider
performing a DoS attack against the enterprise. 5
 RISK TYPES

• Legacy systems
• Older, pre-existing systems.

• Technical debt is the cost occurred over time as a result of

not maintaining a system completely.

• A common reason for not updating or upgrading a system is

that it will break something or void some warranty in place.

• In a world with constantly evolving threats and risk vectors,

the inability to respond is a risk in itself.
6
 RISK TYPES

• Multiparty
• When a system has multiple parties, each with its own risk
determinations, the management of the overall risk
equation gets complicated.

• If a firm is negotiating to make a major system change,

and all the stakeholders are within the firm, then it is still
considered a single party.

• If the financing for the project is from another firm, and

subcontractors are involved, other party determinations of
acceptable risk levels become an issue very quickly. 7
 RISK TYPES
• IP (Intellectual Property) Theft
• IP theft can seriously damage a company’s future health.

• Unlike physical assets, digital assets can be stolen merely through

copying, and this is the pathway attackers use for IP data.

• IP theft is hard to attribute, and once the copy is in the marketplace, the
only resort is courts via trade secret and patent protection actions.

• This is a very significant issue with international state-sponsored

attacks, as the legal recourses are challenging to use effectively.

• Investigation and prosecution of IP theft are major items pursued by the

FBI as part of its cybersecurity strategy. 8
 RISK TYPES

• Software Compliance/Licensing
• The source of this software is via licensing and in many
cases trust.

• Copies of many software products can be made and

used without licenses, and this creates software
compliance/licensing risk.

• This form of risk is best battled using policies and

procedures that prohibit the activity, followed by internal
audits that verify compliance with the policies. 9
 RISK MANAGEMENT
STRATEGIES
• Risk management can best be described as a decision-making
process.

• Risk management strategies include elements of threat

assessment, risk assessment, and security implementation
concepts, all positioned within the concept of business management.

• When you manage risk, you determine what could happen to your
business, you assess the impact if it were to happen, and you
decide what you could do to control that impact as much as you or
your management team deems necessary.

• It is an iterative, ongoing process.

10
 RISK MANAGEMENT
STRATEGIES
• Risks cannot be removed or eliminated.

• You can take actions to change the effects that a risk poses to a
system, but the risk itself doesn’t really change, no matter what
actions you take to mitigate that risk.

• A high risk will always be a high risk.

• Strategies to reduce risk:

– Avoid
– Transfer
– Mitigate
– Accept 11
 RISK MANAGEMENT
STRATEGIES
• Understand that risk cannot be completely
eliminated.

• A risk that remains after implementing

controls is termed a residual risk.

• You have to further evaluate residual risks to

identify where additional controls are required
to reduce risk even more. 12
 Acceptance

• When you’re analyzing a specific risk, after

weighing the cost to avoid, transfer, or mitigate a
risk against the probability of its occurrence and
its potential impact, the best response is to
accept the risk.

• However, there should always be some

additional controls, such as a management
review or a standardized approval process, to
ensure the assumed risk is adequately managed.
13
 Avoidance

• Avoiding the risk can be accomplished in

many ways.

• Although you can’t remove threats from the

environment, you can alter the system’s
exposure to the threats.

• Not deploying a module that increases risk is

one manner of risk avoidance. 14
 Transference

• Transference of risk is when the risk in a situation is covered by

another entity.

• The mistake many make is assuming the risk transfers.

• The only risk transference that occurs across these legal

agreements is that defined in the contract.

• Cybersecurity Insurance
– A common method of transferring risk is to purchase
cybersecurity insurance. Insurance allows risk to be
transferred to a third party that manages specific types of risk
for multiple parties, thus reducing the individual cost. 15
 Mitigation

• Risk can also be mitigated through the application of

controls that reduce the impact of an attack.

• Controls can alert operators so that the level of exposure is

reduced through process intervention.

• When an action occurs that is outside the accepted risk

profile, a second set of rules can be applied, such as calling
the customer for verification before committing a transaction.

• Controls such as these can act to reduce the risk associated

with potential high-risk operations. 16
 RISK ANALYSIS

• To manage risk, there needs to be a measurement of

loss, and potential loss, and much of this information
comes by way of risk analysis.

• Risk analysis is performed via a series of specific

exercises that reveal presence and level of risk
across an enterprise.

• Then, through further analysis, the information can

be refined to a workable plan to manage the risk to
an acceptable level. 17
 Risk Register
• A risk register is a list of the risks associated with a system.

• It also can contain additional information associated with the risk

element, such as categories to group like risks, probability of occurrence,
impact to the organization, mitigation factors, and other data.

• There is no standardized form.

• The Project Management Institute has one format, other sources have
different formats.

• The reference document ISO Guide 73:2009 Risk Management—

Vocabulary defines a risk register to be a “record of information about
identified risks.”
18
 Risk Matrix/Heat Map

• A risk matrix or heat map is used to visually display the

results of a qualitative risk analysis.

• This method allows expert judgment and experience to assume

a prominent role in the risk assessment process and is easier
than trying to exactly define a number for each element of risk.

• To assess risk qualitatively, you first determine the likelihood of

a threat occurring and also the consequence should it occur.

• You then take the value of each and multiply them together to
get the risk value.
19
Risk Matrix/Heat Map

20
 Risk Control Assessment

• A risk control assessment is a tool used by the

Financial Industry Regulatory Authority (FINRA) to
assess a series of risks associated with their member
institutions.

• Questions are asked about a wide range of topics,

including cybersecurity.

• Answers to these questions paint a fairly detailed

picture of the potential risk exposures a firm has,
given its policies and practices. 21
 Risk Control Self-Assessment

• Risk control self-assessment is a technique that

employs management and staff of all levels to identify and
evaluate risks and associated controls.

• This information is collected and analyzed to produce a

more comprehensive map of risks and the controls in
place to address it.

• Engaging multiple viewpoints in the collection of

information, identifying risk exposures and determining
corrective actions, provides different perspectives and
can uncover unnoticed vulnerabilities. 22
 Risk Awareness

• Risk awareness is knowledge of risk and consequences.

• Risk awareness is essential for wide ranges of personnel, with

the content tailored to their contributions to the enterprise.

• Workers need to understand the risks and defenses against

social engineering.

• System designers need to understand risk and vulnerabilities of

the systems.

• Management and executives need to understand the whole risk

ecosystem. 23
 Inherent Risk

• Inherent risk is defined as the amount of risk that exists in the

absence of controls.

• This can be confusing, as the definition of “no controls” could

include no access controls, no door locks, no personnel
background checks—in essence an environment that would
equate to everything becoming high risk.

• Inherent risk is the current risk level given the existing set of
controls rather than the hypothetical notion of an absence of any
controls.

• And as the environment changes, so can the inherent risk. 24

 Residual Risk

• The presence of risks in a system is an absolute—they

cannot be removed or eliminated.

• As mentioned previously in this chapter, four actions can be

taken to respond to risk: accept, transfer, avoid, and
mitigate.

• Whatever risk is not transferred, mitigated, or avoided is

referred to as residual risk and, by definition, is accepted.

• You cannot eliminate residual risk, but you can manage risk
to drive residual risk to an acceptable level. 25
 Control Risk
• Control risk is a term used to specify risk associated with the chance of a
material misstatement in a company’s financial statements.

• This risk can be manifested in a couple ways: either there isn’t an appropriate set
of internal controls to mitigate a particular risk, or the internal controls set in
place malfunctioned.

• Business systems that rely on IT systems have an inherent risk associated with
cybersecurity risks.

• What makes these risks become control risks is when they impact the business
function in a manner that results in financial misstatements or errors.

• In the case of an organization that doesn’t have adequate internal controls in

place to prevent and detect fraud or errors, it has a specific issue of control risk
as opposed to inherent risk. 26
 Risk Appetite

• Risk appetite is the term used to describe a

firm’s tolerance for risk.

• This risk appetite is related to other business

elements such as reward and loss.

• Each company’s executive structure needs to

determine the appropriate risk appetite for that
firm, and that becomes the upper limit on
acceptable risk in the company’s operations. 27
 Regulations That Affect Risk
Posture
• Regulations can have a dramatic effect on risk exposure.

• Sometimes that effect is a direct action of a regulation, such as

financial firms being forced by regulators to have

• Certain levels of encryption to protect certain types of processes.

Other times it is less direct, as in specific monitoring required for
reporting, and firms change operations to avoid having to report.

• Regulations drive corporate responses because failing to follow

regulations can result in penalties, which represent a loss.

• Therefore, regulations can be viewed as risks with almost certainty of

incurring the loss. 28
 Risk Assessment Types

• A risk assessment is a method to analyze potential risk based

on statistical and mathematical models.

• You can use any one of a variety of models to calculate

potential risk assessment values.

• A common method is the calculation of the annual loss

expectancy (ALE). Calculating the ALE creates a monetary
value of the impact.

• This calculation begins by calculating a single-loss expectancy

(SLE), which is presented in detail later in the chapter.
29
 Qualitative vs Quantitative

• Qualitative risk assessment is the process of subjectively

determining the impact of an event that affects a project,
program, or business.
– Qualitative risk assessment usually involves the use of
expert judgment and models to complete the
assessment.

• Quantitative risk assessment is the process of objectively

determining the impact of an event that affects a project,
program, or business.
– Quantitative risk assessment usually involves the use
of metrics and models to complete the assessment. 30
 Likelihood of Occurrence

• The likelihood of occurrence is the chance that a particular

risk will occur.

• This measure can be qualitative or quantitative, as just

discussed.

• For qualitative measures, the likelihood of occurrence is

typically defined on an annual basis so that it can be
compared to other annualized measures.

• If defined quantitatively, it is used to create rank-order

outcomes. 31
 Impact
• The impact of an event is a measure of the actual loss when a threat
exploits a vulnerability.

• Federal Information Processing Standard (FIPS) 199 defines three levels of

impact using the terms high, moderate, and low.

• The impact needs to be defined in terms of the context of each

organization.

• Impacts can be in terms of cost (dollars), performance (service level

agreement [SLA] or other requirements), schedule (deliverables), or any
other important item.

• Impact can also be categorized in terms of the information security attribute

that is relevant to the problem: confidentiality, integrity, and availability. 32
 Life
• Many IT systems are involved in healthcare, and failures of some of
these systems can and have resulted in injury and death to
patients.

• IT systems are also frequently integral to the operation of machines

in industrial settings, and their failure can have similar impacts.

• Injury and loss of life are outcomes that backups cannot address
and can result in consequences beyond others.

• As part of a business impact analysis (BIA), you would identify

these systems and ensure that they are highly redundant, to avoid
impact to life.
33
 Property

• Property damage can be the result of unmitigated risk.

• Property damage to company-owned property,

property damage to property of others, and even
environmental damage from toxic releases in industrial
settings are all examples of damage that can be
caused by IT security failures.

• This can be especially true in companies that have

manufacturing plants and other cyber physical
processes. 34
 Safety
• Safety is the condition of being protected from or unlikely to cause
danger, risk, or injury.

• Safety makes sense from both a business risk perspective and when you
consider the level of concern one places for the well-being of people.

• In a manufacturing environment, with moving equipment and machines

that can present a danger to workers, government regulations drive
specific actions to mitigate risk and make the workplace as safe as
possible.

• Unsafe conditions that are the result of computer issues will face the
same regulatory wrath that unsafe plants have caused in manufacturing
—fines and criminal complaints.
35
 Finance
• Finance is in many ways the final arbiter of all activities because it is how we
keep score.

• We can measure the gains through sales and profit, and we can measure the
losses through unmitigated risks.

• We can take most events, put a dollar value on them, and settle the books.

• Where this becomes an issue is when the impacts exceed the expected costs
associated with the planned residual risks because then the costs directly impact
profit.
– Lost profits
– Ransomware
– Fines
– Lawsuits
– Loss of reputation 36
 Reputation

• Corporate reputation is important in marketing.

– Would you deal with a bank with a shoddy record of
accounting or losing personal information?
– How about online retailing?
– Would the customer base think twice before be entering
their credit card information after a data breach?

• These are not purely hypothetical questions; these events

have occurred, and corporate reputations have been
damaged as a result, thus costing the firms in customer
base and revenue.
37
 Asset Value

• The asset value (AV) is the amount of money it

would take to replace an asset.

• This term is used with the exposure factor (EF),

a measure of how much of an asset is at risk,
to determine the single-loss expectancy (SLE).

SLE = AV × EF
ALE = SLE × ARO
38
 Annualized Rate of Occurrence
(ARO)
• The annualized rate of occurrence (ARO) is a
representation of the frequency of the event,
measured in a standard year.

• If the event is expected to occur once in 20

years, then the ARO is 1/20.

• Typically, the ARO is defined by historical data,

either from a company’s own experience or from
industry surveys. 39
 Disasters
• Disasters are major events that cause disruptions.

• The timescale of the disruption can vary, as can the level of

disruption, but the commonality is that the external event that
caused the disruption is one that cannot be prevented.

• Common disasters include weather-related events and events that

everyone knows will happen eventually, just not where or when.

• Person-made disasters can be as simple as a misconfiguration

that results in the loss of a significant amount of data.

• Hurricanes, earthquakes, tornados, volcanos, COVID-19 40

 Person-made

• Person-made threats are those that are attributable to the

actions of a person.

• But these threats aren’t limited to hostile actions by an

attacker; they include accidents by users and system
administrators.

• Users can represent one of the greatest risks in an IT

system.

• Proper controls to manage the risk to a system must include

controls against both accidental and purposeful acts. 41
 Internal vs. External

• Internal threats have their origin within an organization, whereas

external risks come from the outside.

• When disasters are examined, they can be seen to have

originated either within the company or outside the company.

• If supply chain decisions are made to go with a single overseas

vendor for a minor price advantage, with no backup, and then a
disaster strikes the country of the supplier, is this an internal or
external risk?

• It can be viewed as both, but an internal policy decision drives

the risk of going with a single vendor. 42
 BUSINESS IMPACT ANALYSIS

• Business impact analysis (BIA) is the process used

to determine the sources and relative impact values of
risk elements in a process.

• It is also the name often used to describe a document

created by addressing the questions associated with
sources of risk and the steps taken to mitigate them in
the enterprise.

• The BIA also outlines how the loss of any of your

critical functions will impact the organization. 43
 Recovery Time Objective (RTO)

• The term Recovery Time Objective (RTO) is

used to describe the target time that is set for the
resumption of operations after an incident.
– This is a period of time that is defined by the
business, based on the needs of the business.
– A shorter RTO results in higher costs because
it requires greater coordination and resources.
– This term is commonly used in business
continuity and disaster recovery operations.
44
 Recovery Point Objective (RPO)

• Recovery Point Objective (RPO), a totally different

concept from RTO, is the time period representing the
maximum period of acceptable data loss.

• The RPO defines the frequency of backup operations

necessary to prevent unacceptable levels of data loss.

• A simple example of establishing RPO is to answer the

following questions:
– How much data can you afford to lose?
– How much rework is tolerable? 45
RTO vs RPO

46
 Mean Time to Repair (MTTR)

• Mean Time To Repair (MTTR) is a common measure of how

long it takes to repair a given failure.

• This is the average time, and it may or may not include the
time needed to obtain parts.

• MTTR = (total downtime) / (number of breakdowns)

• Availability is a measure of the amount of time a system

performs its intended function.

• Reliability is a measure of the frequency of system failures.47

 Mean Time Between Failures
(MTBF)
• Mean Time Between Failure (MTBF) is a common
measure of reliability of a system and is an
expression of the average time between system
failures.

• The time between failures is measured from the time

a system returns to service until the next failure.

• Mean time to failure (MTTF) is a variation of MTBF,

one that is commonly used instead of MTBF when
the system is replaced in lieu of being repaired. 48
 Functional Recovery Plans

• Functional recovery plans

• The transition from operations under business

continuity back to normal operations.

• Disaster operations is fast and prioritized.

• Functional recovery is more organized and

staged over time. 49
 Single Point of Failure

• A key principle of security is defense in depth.

• This layered approach to security is designed to eliminate

any specific single point of failure (SPOF).

• A single point of failure is any system component whose

failure or malfunctioning could result in the failure of the
entire system.

• For mission-essential systems, single points of failure are

items that need to be called to management’s attention, with
full explanation of the risk and costs associated with them.50
 Disaster Recovery Plan (DRP)

• A disaster recovery plan (DRP) is the plan a

firm creates to manage the business impact
of a disaster and to recover from its impacts.

51
 Mission-Essential Functions

• Mission-essential functions are those that,

should they not occur or be performed
properly, will directly affect the mission of the
organization.

• In other terms, mission-essential functions

are those that must be restored first after a
business impact to enable the organization to
restore its operations.
52
 Identification of Critical Systems

• A part of identifying mission-essential functions is

identifying the systems and data that support the
functions.

• Identification of critical systems enables the security

team to properly prioritize defenses to protect the
systems and data in a manner commensurate with
the associated risk.

• It also enables the proper sequencing of restoring

operations to ensure proper restoration of services.53
 Site Risk Assessment
• Risk assessments can have specific characteristics associated with
different sites.

• This is the basis for a site risk assessment, which is simply a risk
assessment tailored for a specific site.

• In organizations with multiple locations, with differing systems and

operations, having tailored risk assessments that are specific to the
risks associated with each site provides information for the firm.

• There may be some elements that overall are specific to the firm,
but the development and inclusion of the risks associated with each
site provide an actionable document that can be used effectively.
54