If you’re planning to take the SY0-601 version of the Security+ exam, you should understand risk management processes and concepts. This includes risk analysis processes that can identify potential issues that could negatively impact an organization’s goals and objectives.
For example, can you answer this practice test question?
Q. Maggie is performing a risk assessment on a database server. While doing so, she created a document showing all the known risks to this server, along with the risk score for each risk. Which of the following BEST identifies the name of this document?
A. Qualitative risk assessment
B. Quantitative risk assessment
C. Risk register
D. Residual risk
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Risk Analysis
Risk assessments use a variety of techniques to analyze risks. Generically, a risk analysis identifies potential issues that could negatively impact an organization’s goals and objectives. However, different disciplines define it a little differently. As an example, project management professionals would tell you that a risk analysis identifies potential risks that may impact a project’s outcomes and objectives instead of the organization’s goals and objectives.
Similarly, the following terms might have slightly different definitions within project management circles or with financial management specialists. However, these definitions are valid within cybersecurity:
- Risk register. A risk register lists all known risks for a system or an organization. It’s often in a table format or as a risk log and is a living document. A table format would have predefined columns such as the risk, the risk owner, mitigation measures, the impact, the likelihood of occurrence, and a risk score. The risk owner is responsible for implementing security controls to mitigate the risk. As security professionals investigate new risks, they add new rows to the table. A risk log format is similar to a file and allows personnel to document risk management activities using free-flowing text instead of formalized columns in a table.
- Risk matrix. A risk matrix plots risks onto a graph or chart. As a simple example, it can plot the likelihood of occurrence data against the impact of a risk, as shown in the figure The letters (A to D) represent specific risks documented elsewhere (such as in the risk register). However, it’s easy to see that personnel should spend most of their time on risk D, but risk has already been mitigated to an acceptable level.

Risk Matrix
- Heat map. A heat map is similar to a risk matrix. However, instead of using words such as acceptable risk and unacceptable risk, they use colors such as green and red, respectively. For example, the risk matrix shown in the figure would be colored green in the bottom-left area and red in the top-right area. The middle area would be yellow.
Supply Chain Risks
A supply chain includes all the elements required to produce and sell a product. As a simple example, consider the Lard Lad Donuts store. They require a steady supply of flour, sugar, eggs, milk, oil, and other ingredients. They also require refrigerators to store raw materials, space to manufacture the donuts, and fryers to cook them. Last, they need a method to sell the donuts to customers. If any of these items fail, the company won’t be able to make and sell donuts.
It’s important to realize that the supply chain isn’t only the supply of raw materials. It also includes all the processes required to create and distribute a finished product.
A supply chain can become an attack vector if an attacker can disrupt the supply chain. If an attacker wanted to stop the donut store from producing donuts, it isn’t necessary to attack the donut store. Instead, an attacker can attack one of the third-party suppliers in a supply chain attack. A potential indicator of a supply chain attack is a disruption in the supply chain.
Organizations can eliminate the supply chain as a third-party risk simply by ensuring that it has multiple sources for everything that it needs. While this is relatively simple when looking for alternate sources to purchase flour and sugar, it can be difficult when an organization needs complex materials.
For example, General Motors chose to build some 2021 vehicles without the GM Active Fuel Management module due to a worldwide chip shortage. Ford reported the chip shortage could lower its earnings by more than a billion dollars. Most of these chips are produced in Asian nations such as Taiwan and China. While the chip shortage was mainly due to automakers miscalculating supply and demand, it could just as easily be due to an attack. If an attacker destroys one or two factories producing these chips, it could impact the bottom line of automakers on the other side of the world.
Q. Maggie is performing a risk assessment on a database server. While doing so, she created a document showing all the known risks to this server, along with the risk score for each risk. Which of the following BEST identifies the name of this document?
A. Qualitative risk assessment
B. Quantitative risk assessment
C. Risk register
D. Residual risk
Answer is C. A risk register lists all known risks for an asset, such as a database server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk).
Risk assessments (including qualitative and quantitative risk assessments) might use a risk register, but they are not risk registers.
Residual risk refers to the remaining risk after applying security controls to mitigate a risk.
See Chapter 8 of the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide for more information on risk management.