ITPro.TV: CompTIA Security+ (SY0-601)

author: Nathan Acks
date: 2022-05-04

CompTIA Security+ Exam Cram

Today I’ll be reading chapter 34 from the Security+ Exam Cram, “Risk Management”.

Risk Analysis

Good definition!

Risk is the possibility of exposure to loss or danger.

Normally we talk about “risk” as if it were synonymous with “the probability that bad thing X happens”, but the Exam Cram breaks it down more formally as “Threat × Vulnerability × Impact”. (Here “Threat × Vulnerability” is more-or-less the colloquial meaning of “risk”, which means that we can also think of this as impact weighted by probability of occurrence.)

Risk Register

A “risk register” is a document/database documenting various risks. Typical elements:

Risk Response Techniques

Most risk management is really about mitigation.

The Exam Cram has a good example for residual risk, likening it to how barred windows mitigates break-in risk but increases the risk of being trapped by a fire.

Threat Assessment

Threat: The potential that a vulnerability will be exploited.

Threat Vector: How a threat is realized.

Threat source types:

The Exam Cram breaks the last of these down into “structural” (i.e., infrastructure failures) and “environmental”.

Risk Assessment

“Risk assessment” formalizes the “Risk = Threat × Vulnerability × Impact” relationship defined above.

Most risk assessments bound risk by fiscal year.

There are, frankly, a lot of arbitrary numbers being thrown around in this section. I suppose that the important thing here is that risks are ultimately ranked by an organization in the correct order, and that risk tiers are clearly defined. But this is all very hand-wavy.

Single Loss Expectancy

“Single loss expectancy” (SLE) is the expected monetary loss should a given risk be realized.

Annual Rate of Occurrence

The “annual rate of occurrence” (ARO) is just the probability that the risk is realized within the given timeframe (typically a fiscal year, as mentioned above).

Annual Loss Expectancy

The “annual loss expectancy” (ALE) is the actual expected monetary impact of the risk (Annual Loss Expectancy = Single Loss Expectancy × Annual Rate of Occurrence).

This is used in exactly the way you’d normally use expected values.

Business Impact Analysis

What “risk assessment” is to risk, “business impact analysis” is to impacts.

Recovery Objectives

Recovery Point Objective: References data storage/processing/generation capabilities; the time that can elapse before the quantity of data lost due to a risk being realized exceeds the maximum allowable threshold as established in a business continuity plan. (Basically, acceptable data loss.)

Recovery Time Objective: The time within which a process must be restored as established in a business continuity plan. (Basically, how long a given application can be down.)


MTTF: Mean time to failure. (Used for monolithic, non-repairable systems.)

MTBF: Mean time between failures. (Used for components in modular, repairable systems.)

MTTR: Mean time to recovery.

ITPro.TV: CompTIA Security+ (SY0-601)

Risk Management Concepts - Vocabulary

Via NIST Special Publication 800-31r1:

Note that these definitions are much closer to the colloquial definition of “risk” than what is presented in the Exam Cram.

Risk Management Concepts - Types & Strategies

Steps in the risk assessment process:

Conducting the assessment (step 2) can itself be broken down into five stages:

Interestingly, Adam Gordon’s using “risk” within these substeps in a way that’s much closer to the Exam Cram than to the previous episode’s definitions.

Key risk types:

Note that there’s a lot of overlap here between categories.

Risk management strategies:

Adam Gordon breaks cyberinsurance out as its own category, though it’s typically considered a type of risk transference. Cloud migration is also a type of (partial) risk transference.

Risk Management Concepts - Risk Analysis

Adam Gordon defines “risk analysis” as the examination of risk, while “risk assessment” is the process of defining risks in a given context. Definitions occur before examinations, and thus risk assessments occur before a risk analysis.

Formally, the “single loss expectancy” (SLE) is defined as the asset value (which may be the income generated by the asset) multiplied by the “exposure factor” (which is the expected percentage of value of the asset in the event of an attack). This formula honestly only makes sense to me in the “asset as income” case; in other situations, wouldn’t the SLE be the repair/recovery costs?

In general, risk controls are implemented even when they cost as much as the ALE of the risk, since such controls still guard against less tangible qualitative losses. It’s only when the cost of the control begins to exceed the risk’s ALE that an organization will accept the risk.

Risk Management Concepts - Business Impact Analysis

“Business Continuity and Disaster Recovery” (BCDR) is the combination of two different types of plans:

The the “BC” part is about alternate operations during an emergency, while the “DR” part is about recovering operations during a completely disruptive event.

The plans for each of these are known as BCPs, DRPs, or BCDRPs for the combined plans.

The reason business continuity and disaster recovery are increasingly lumped together is because events that take an organization immediately to disaster are actually somewhat rare. It’s more common for an organization to instead suffer progressive (abd potentially rapid) deterioration from “normal operations” to complete disruption. This means that the business continuity plan is generally engaged before the disaster recovery plan, and thus functions as something of a “final off ramp” before a formal disaster is declared and the DRP goes into effect.

“Business impact analysis” is basically about (1) identifying mission-critical functions/assets and (2) characterizing the consequence of a disruption to these functions/assets. Goals:

Note that it’s sometimes desirable to bring up less critical systems before more critical ones as “guinea pigs” to help probe the post-disaster operational environment.



Basically, the RPO determines our maximum backup interval.

RTO is concerned only with infrastructure recovery, while WRT is the length of time that it takes to restore working infrastructure to full operational capacity. This MAD = RTO + WRT.