Domain 5
5.2 Risk Management
Explain elements of the risk management process.
0% Complete

Risk identification and assessment is the process of discovering, analyzing, and evaluating threats to an organization’s assets to determine the most effective mitigation strategy.
Risk Categorization and States Risk is dynamic and changes based on the presence or performance of security measures. - Inherent Risk: The level of risk that exists naturally before any security controls or mitigations are implemented. - Residual Risk: The risk that remains after security controls have been applied; most frameworks acknowledge risk can never be zero. - Control Risk: The risk that a specific security measure will fail to perform its intended function or produce an unintended outcome. - Risk Assessment: A systematic evaluation of whether a control is effective, its cost-benefit ratio, and whether it introduces new secondary risks.
Qualitative vs. Quantitative Assessment Organizations use two primary methods to measure risk, often combining them for a holistic view. - Qualitative Risk Assessment: Focuses on subjective logic and expert opinion. It uses descriptive rankings like Low, Medium, or High to prioritize threats based on likelihood and impact. This is preferred when quality data is scarce. - Quantitative Risk Assessment: A data-driven approach that assigns numerical values and dollar amounts to risk. Challenges include subjective guesses for numbers and the high level of effort required to gather accurate historical data. - Likelihood of Occurrence: The probability that a specific threat will exploit a vulnerability. - Magnitude of Impact: The total potential damage (financial, operational, or reputational) resulting from a realized threat.
Risk Management Strategies Once a risk is identified, leadership must choose a response based on cost and resource availability. - Risk Mitigation: Implementing security controls (technical, administrative, or physical) to reduce the likelihood or impact of a threat. - Risk Transference: Shifting the financial burden or responsibility to a third party, such as purchasing cyber insurance or outsourcing to a cloud provider. - Risk Avoidance: Choosing to stop an activity or decommission a system because the risk is too high to manage. - Risk Acceptance: Acknowledging the risk exists but choosing not to act, usually because the cost of the control exceeds the value of the asset or the impact is negligible.
Frameworks and Methodologies Standardized frameworks help neutralize subjectivity in risk reporting. - NIST SP 800-30: A specific guide for conducting risk assessments involving preparation, execution, communication, and maintenance. - ISACA Risk IT: A framework focus on governing and managing IT risk throughout the enterprise.
Quick Recall - Inherent = No controls. - Residual = Remaining risk. - Qualitative = Probability and Impact matrices. - Quantitative = Monetary values. - Insurance = Risk Transference. - Control Assessment = Judging control quality.