Risk Management

If you’re planning on taking the Security+, SSCP, or CISSP exam you should understand the common risk management methods used by security professionals. As an example, Objective 2.1 “Explain risk related concepts” for the CompTIA Security+ exam lists risk-avoidance, transference, acceptance, mitigation, and deterrence. 

Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level. It doesn’t eliminate risks, but instead identifies methods to limit or mitigate them. The amount of risk that remains after managing risk is residual risk.

The primary goal of risk management is to reduce risk to a level that the organization will accept. Senior management is ultimately responsible for residual risk – the amount of risk that remains after mitigating risk. Management must choose a level of acceptable risk based on their organizational goals. They decide what resources (such as money, hardware, and time) to dedicate to mitigate the risk.

Security+ Full Access Package

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:

• All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
• Over 40 new multiple-choice questions we’ve added after publishing the study guide.
• Over 30 performance-based questions. See a demo here.
• All of the flashcards from the study guide. View them in any Web browser.
• All of the audio from the study guide. Listen to a sample here.
• Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Practice Question

Consider this question:

Q. Joe is evaluating security controls related to a known vulnerability. This vulnerability has resulted in two events in the past year resulting in losses of $3,000 each. A third-party company says they can eliminate the losses at a cost of $5,000. What should you do?

A. Do nothing and save $5,000

B. Mitigate the risk and save $2,000

C. Transfer the risk and save $1,000

D. Transfer the risk and save $2,000

The answer is below, but if you understand some common terms related to risk management, you can answer the question correctly.

Risk Avoidance

An organization can avoid a risk by not providing a service or not participating in a risky activity.

For example, an organization may evaluate an application that requires multiple open ports on the firewall that it considers too risky. It can avoid the risk by not using the application.

Risk Transference

An organization can transfer the risk to another entity. The most common method of risk transference is by purchasing insurance. Another method is by outsourcing the risk, or contracting a third party to manage the risk.

Risk Acceptance

When the cost of a control outweighs the potential losses of a risk, an organization will often accept the risk. For example, spending $100 in hardware locks to secure a $15 mouse doesn’t make sense. Instead, the organization accepts the risk of someone stealing the mouse.

Similarly, even after implementing controls, some risk remains and the organization accepts this residual risk.

Risk Mitigation

When an organization implements controls to reduce the risk, it is referred to as risk mitigation. These controls may reduce the vulnerabilities or weaknesses in a system, or they may reduce the impact of the threat. For example, up-to-date antivirus software mitigates the risks of malware by reducing a system’s vulnerability to malware.

Risk Deterrence

An organization can deter a risk by implementing some security controls. For example, security guards and monitoring cameras can deter losses from different types of risks. A security guard mitigates the risk of tailgating and cameras can mitigate risks associated with theft.

Some security professionals identify the first four methods of risk management but don’t include risk deterrence. Instead, they include deterrence methods within the risk mitigation category. However, the Security+ objectives list these five.

Quantitative Risk Management

There are times when you need to calculate costs related to risks using a quantitative risk management method. When using a quantitative method you should understand the following terms:

• Single loss expectancy (SLE). The SLE is the cost of any single loss.
• Annualized rate of occurrence (ARO). The ARO indicates how many times the loss is expected to occur annually. 
• Annualized loss expectancy (ALE). The ALE is the SLE x ARO.

Security+ Full Access Package

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:

• All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
• Realistic SY0-601 Security+ Practice Test Questions
• Performance-based questions.
• All of the flashcards from the study guide. View them in any Web browser. See demo here
• All of the audio from the study guide.
• Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Practice Question Answer

Q. Joe is evaluating security controls related to a known vulnerability. This vulnerability has resulted in two events in the past year resulting in losses of $3,000 each. A third-party company says they can eliminate the losses at a cost of $5,000. What should you do?

A. Accept the risk and save $1,000

B. Mitigate the risk and save $2,000

C. Transfer the risk and save $1,000

D. Transfer the risk and save $2,000

Answer

C is the correct answer. Outsourcing the risk by contracting a third party is risk transference and if you transfer the risk to a third-party, you can save $1,000.

The ARO is 2.

The SLE is $3,000.

The ALE is $6,000 ($3,000 X 2)

The cost of the control is $5,000.

In this case, you can spend $5,000 to prevent the losses of $6,000 effectively saving $1,000.

Because the cost of the control ($5,000) is less than the expected losses ($6,000), it makes fiscal sense to purchase the control. (An organization will likely evaluate other factors but in general when the cost of the control is less than the losses it’s expected to remove, the control is worth the cost. If the control costs more than the losses it can prevent, it is not worth the cost.)

A is not correct. If you accept the risk, you will still be losing $6,000 annually. Based on the scenario, accepting the risk cannot result in a savings of $1,000. However, if the cost of the control was $7,000 (instead of $5,000), accepting the risk could be interpreted as a savings of $1,000. You could spend $7,000 or do nothing and lose $6,000. Doing nothing (accepting the risk) is $1,000 cheaper.

B is not correct. Mitigating the risk means that you are doing something to reduce it. Outsourcing the risk to a third-party is rarely referred to as mitigating the risk. Also there isn’t any math that results in a savings of $2,000 within this scenario.

D is not correct. Outsourcing to a third-party is risk transference. However, this results in a savings of $1,000 rather than $2,000.

Summary

Ensure you understand the basics of a risk management methods when taking any security-based exam such as the Security+, SSCP, or CISSP exams. The primary methods are known as risk avoidance, risk transference, risk acceptance, risk mitigation, and risk deterrence.