Domain 1 of 8 · Chapter 9 of 12

Risk Management

What risk is, and how it is assessed

A vulnerability with no credible threat, and a threat with no exploitable vulnerability, both produce zero risk: risk is always the pairing of the two with an impact, never a lone weakness. That single definition is the spine of every risk decision, and it is what lets you turn a vague worry into a ranked, defensible one. From it follow the choice between qualitative and quantitative analysis and the loss figures (SLE, ALE) the exam makes you compute cold.

The vocabulary, defined once

A threat is any potential cause of an unwanted impact: a hacker, a flood, a careless insider. A vulnerability is a weakness a threat could exploit: an unpatched server, a missing background check. A threat agent (or threat actor/source) is the entity that initiates the threat. Risk is the combination of the two with consequence: the likelihood that a threat exploits a vulnerability, multiplied by the resulting impact. The single most important consequence of this definition is that a vulnerability with no credible threat, or a threat with no exploitable vulnerability, produces no risk, so risk is always assessed on paired threat-and-vulnerability scenarios, never on a lone weakness. Exposure is an instance of being susceptible to a loss; an asset is anything of value being protected.

NIST states this directly: risk is "a measure of the extent to which an entity is threatened by a potential circumstance or event," and is "a function of the adverse impacts that would arise if the circumstance or event occurs, and the likelihood of occurrence," per the NIST SP 800-30 Rev. 1 risk-assessment guide[1].

Qualitative vs quantitative analysis

There are two ways to size a risk, and they share one model: both estimate likelihood and impact and combine them; they differ only in the scale they use.

  • Qualitative rates likelihood and impact on ordinal bands (e.g. low / medium / high, or 1-5) and plots them on a risk matrix (heat map). It is fast, needs no hard loss data, and relies on expert judgment, but its outputs are relative ratings you cannot add up or express in money.
  • Quantitative assigns real monetary values, producing a dollar figure you can compare directly against the cost of a safeguard. It needs reliable asset values and event frequencies, which are often the hardest inputs to obtain.
  • Hybrid (semi-quantitative) is the usual real-world answer: triage the whole register qualitatively, then spend the effort of a full quantitative model only on the handful of risks that justify it.

The quantitative formulas you must know cold

Quantitative analysis turns on four derived values. Define them in order, because each feeds the next:

Term Meaning Formula
AV, Asset Value What the asset is worth (input)
EF, Exposure Factor Fraction of the asset value lost in one event (a percentage) (input)
SLE, Single Loss Expectancy Expected loss from one occurrence SLE = AV x EF
ARO, Annualized Rate of Occurrence Expected number of occurrences per year (input)
ALE, Annualized Loss Expectancy Expected loss per year ALE = SLE x ARO

Worked example: a $200,000 (AV) data store, where one ransomware event is expected to destroy 25% of its value (EF = 0.25), gives SLE = $200,000 x 0.25 = $50,000. If such an event is expected roughly twice a year (ARO = 2), then ALE = $50,000 x 2 = $100,000 per year. That $100,000 is the number a safeguard must beat: spend less than $100,000 a year to drive the ALE down and the control pays for itself; spend more and the cure costs more than the disease. The figure traces that same chain: the asset value flows through the exposure factor to the SLE, then through the ARO to the per-year ALE that the safeguard budget must come in under.

AV$200,000x EF0.25SLE$50,000x ARO2 / yearALE$100,000 / yearThe control budget: a safeguard is justified only whenits annual cost is below the ALE it removes
AV x EF = SLE, then SLE x ARO = ALE, the annual loss a safeguard must beat (NIST SP 800-30 Rev. 1).

Treating risk: responses, controls, and frameworks

Every analyzed risk gets exactly one primary response, avoid, transfer, mitigate, or accept. Building on the sized, ranked risk from the previous section, that decision drives the kinds of controls that implement it and the framework that keeps the whole process repeatable.

The four risk responses

Every analyzed risk gets exactly one primary response. The four, in the language CISSP uses:

  • Avoid, eliminate the risk by not doing the risky activity (e.g. cancel a feature that processes regulated data). Avoidance removes the risk entirely but also forfeits the activity's benefit.
  • Transfer (share), shift the financial consequence to a third party, classically cyber-insurance or a contractual indemnity. Transfer moves the cost of a loss, not the loss itself: the breach still happens to you, and you still own the reputational and legal fallout.
  • Mitigate (reduce), apply controls that lower the likelihood or the impact. This is the most common response and the only one that consumes the safeguard-cost-vs-ALE math from the previous section.
  • Accept, knowingly retain the risk because treating it costs more than the exposure, documenting the rationale. Acceptance must be a deliberate management decision, not an oversight.

Whatever response is chosen, what remains is residual risk, the risk left after the control is applied (conceptually, total risk minus the risk the control removes). Residual risk must be formally accepted by senior management, who own the risk; this acceptance is the same authorization act the framework calls Authorize. A fifth term, risk rejection (ignoring a known risk), is explicitly not a valid response and is the trap answer when a stem describes doing nothing.

Control categories and types

Controls are classified two ways at once, and exam stems mix them. By category (how implemented): administrative/managerial (policies, procedures, training), technical/logical (firewalls, encryption, access controls), and physical (locks, guards, fences). By type (what the control does relative to an event): preventive (stop it, a lock), detective (notice it, a log alert), corrective (fix it after, restore from backup), deterrent (discourage it, a warning banner), recovery (restore operation, DR site), directive (mandate behavior, a policy), and compensating (a substitute when the primary control is infeasible). A single control can hold one category and several types; describe both axes when a question asks you to classify one.

Frameworks, KRIs/KPIs, and maturity

A repeatable program runs risk through a named framework so assessment, treatment, and monitoring stay consistent and auditable. The dominant choices:

  • The NIST Risk Management Framework (RMF), SP 800-37 Rev. 2[2], a seven-step system lifecycle: Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor.
  • NIST SP 800-30 Rev. 1[1] for the assessment methodology specifically (Prepare, Conduct, Communicate, Maintain), operating across three tiers: organization, mission/business process, and information system.
  • The NIST Cybersecurity Framework (CSF) 2.0[3], organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover, where Govern was added in version 2.0.
  • ISO/IEC 27005, the international standard for information-security risk management that complements an ISO/IEC 27001 ISMS.

Once controls are live they are continuously monitored and measured. A Key Risk Indicator (KRI) is a leading metric that signals rising exposure before a loss occurs (e.g. percentage of systems past patch SLA). A Key Performance Indicator (KPI) is a lagging metric of how well a control or process is performing (e.g. mean time to detect). These feed periodic reporting to risk owners and a risk maturity model that describes the climb from ad-hoc, reactive risk handling to defined, managed, and finally optimized, metrics-driven risk management, the engine of continuous improvement.

PrepareCategorizeSelectImplementAssessAuthorizeMonitorcontinuous loop
The seven RMF steps run in order and loop: Monitor feeds back into Prepare (NIST SP 800-37 Rev. 2).

Exam-pattern recognition

CISSP rarely asks a definition outright; it dresses the concepts above up in question stems where the one right answer hides among distractors built from the classic traps. Naming why each distractor fails is how you spot it.

Pattern 1: "What should you do FIRST?"

When a stem describes a newly discovered risk and asks what to do first or next, the answer is almost always an assessment / analysis step before any control purchase: you cannot rationally treat a risk you have not sized. Choosing "buy a firewall" or "encrypt the data" before the risk is assessed is the classic trap: it skips the analysis that tells you whether the control is even cost-justified.

Pattern 2: "Which response is this?"

Stems describe an action and ask you to name the response. Map the verb: buying insurance or signing an indemnity = transfer; deploying a control = mitigate; shutting down the activity = avoid; documenting and living with it = accept. The sharp trap is calling insurance "avoidance": insurance moves the cost, so it is transfer; only stopping the activity is avoidance. A second trap is treating "do nothing" as acceptance: silent inaction is risk rejection, which is not a legitimate response. Acceptance requires a documented, management-approved decision.

Pattern 3: cost-justifying a safeguard

When given AV, EF, ARO and a control's annual cost, compute ALE = (AV x EF) x ARO and compare. The right control is the one whose annual cost is less than the ALE reduction it delivers; an option that costs more than the risk it removes is wrong even if it is the most secure. Watch for stems that give EF as a percentage you must convert (25% = 0.25) and for the difference between SLE (one event) and ALE (per year): mixing them is the most common arithmetic trap.

Pattern 4: who accepts the residual risk?

Residual risk is accepted by senior/executive management (the data or system owner / authorizing official), never by the security team, the analyst, or IT operations. A stem that has a security engineer "accepting" residual risk is testing whether you know risk acceptance is a business-owner authority: that authority is exactly the RMF Authorize step. Likewise, when asked who is accountable for a risk, it is the owner, even if a custodian or third party operates the control day to day.

Pattern 5: framework and metric identification

Know the named artifacts on sight: the RMF seven steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) come from SP 800-37[2]; SP 800-30 is the assessment guide; CSF 2.0 has the six functions Govern/Identify/Protect/Detect/Respond/Recover; ISO/IEC 27005 is the international risk-management standard. Distinguish a KRI (leading, signals rising exposure) from a KPI (lagging, measures performance): a stem describing an early-warning metric wants KRI, while one describing how well a control already works wants KPI.

Choosing a risk-analysis method

DimensionQualitativeQuantitativeHybrid
OutputOrdinal bands (low/med/high) on a risk matrixMonetary figures (SLE, ALE in currency)Bands first, dollars only for top risks
Key formulaNone: likelihood x impact ratingSLE = AV x EF; ALE = SLE x AROQuantitative math applied to triaged risks
Data neededExpert judgment, no hard loss dataReliable asset values and event frequenciesJudgment to triage, then data for the few
Speed / costFast, low effortSlow, data-intensiveBalances effort against precision
Best whenData is scarce or risks are numerousSpend must be justified in dollarsLarge risk register needs prioritization

Decision tree

Must spend be justifiedin dollars?No - data scarceYesQualitativelikelihood x impact bandsReliable asset values andevent frequencies available?No / only some risksYesHybridtriage qualitatively, thenquantify top risksQuantitativeSLE = AV x EF;ALE = SLE x AROAlways: assess the risk before selecting any control,and have senior management accept the residual risk

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Risk is likelihood times impact on a paired threat and vulnerability

Risk is the likelihood that a specific threat exploits a specific vulnerability, multiplied by the resulting impact. A vulnerability with no credible threat, or a threat with no exploitable weakness, carries no risk, which is why risk is always assessed on the threat-vulnerability pair rather than on a weakness alone. NIST frames it as a function of the likelihood of an event and the adverse impact if it occurs.

Trap Treating a discovered vulnerability as a risk on its own, without asking whether any threat can credibly exploit it.

Single Loss Expectancy is asset value times exposure factor

SLE is the money lost in one occurrence of a risk event, computed as SLE = AV x EF, where AV is the asset's value and EF is the fraction of that value destroyed in a single event (a percentage). For example a $200,000 asset with a 25% exposure factor has an SLE of $50,000. EF is expressed as a decimal in the formula, so 25% becomes 0.25.

Trap Reading the exposure factor as a flat dollar loss instead of a percentage of asset value, which inflates SLE.

1 question tests this
Annualized Loss Expectancy is SLE times the annual rate of occurrence

ALE is the expected yearly loss from a risk, computed as ALE = SLE x ARO, where ARO is the expected number of occurrences per year. It is the single number that justifies safeguard spend: a control is cost-effective only when its annual cost is below the ALE reduction it produces. ARO can be fractional (a once-in-ten-years event has an ARO of 0.1).

Trap Confusing SLE (loss from one event) with ALE (loss per year) when a stem asks for annual exposure.

1 question tests this
Fund a safeguard only when its cost is below the ALE it removes

A control is justified when its annual cost is less than the reduction in Annualized Loss Expectancy it delivers; you compare ALE-before minus ALE-after against the control's yearly cost. Spending more to mitigate than the risk is worth is itself a risk-management failure, even if the control is technically the most secure option. This cost-benefit test is what turns quantitative analysis into a budget decision.

Trap Selecting the most secure control regardless of cost, when a cheaper option already drives ALE below the control's price.

3 questions test this
Quantitative analysis yields dollars; qualitative yields ranked bands

Quantitative analysis assigns monetary values (SLE, ALE) and needs reliable asset values and event frequencies, producing figures you can compare directly against control costs. Qualitative analysis rates likelihood and impact on ordinal bands plotted on a risk matrix; it is fast and needs no hard loss data but its outputs cannot be summed or expressed in money. Choose quantitative when spend must be defended in dollars, qualitative when data is scarce.

Trap Claiming qualitative analysis produces a dollar figure, when it only produces relative low/medium/high ratings.

Hybrid analysis triages qualitatively, then quantifies the top risks

A hybrid (semi-quantitative) approach ranks the whole risk register with fast qualitative bands, then spends the effort of a full quantitative model only on the few risks that justify it. This balances the speed of qualitative against the precision of quantitative and is the common real-world choice for a large register. It avoids both the paralysis of quantifying everything and the imprecision of quantifying nothing.

Trap Assuming a hybrid approach must produce dollar figures for every risk, when it reserves the full quantitative model for only the top-ranked few.

Every risk gets one primary response: avoid, transfer, mitigate, or accept

After analysis, each risk is treated with one primary response. Avoid eliminates the risk by stopping the activity; transfer (share) shifts the financial impact to a third party; mitigate (reduce) applies controls to lower likelihood or impact; accept knowingly retains the residual risk because treatment costs more than the exposure. Mitigate is the most common and the only response that uses the safeguard-cost-versus-ALE math.

Trap Treating mitigate as if it eliminates the risk, when only avoid removes it and mitigation merely lowers likelihood or impact.

5 questions test this
Insurance transfers the cost of a loss, it does not avoid the risk

Buying cyber-insurance or signing a contractual indemnity is risk transfer (sharing): it shifts the financial consequence to a third party but the incident still happens to you, and you keep the reputational and legal fallout. Risk avoidance is different: it means not doing the risky activity at all, so the risk cannot occur. Transfer moves cost; avoidance removes the activity.

Trap Labeling cyber-insurance as risk avoidance; insurance only moves the financial impact, so it is transfer.

3 questions test this
Residual risk must be formally accepted by senior management

Residual risk is what remains after a control is applied, conceptually total risk minus the portion the control removes. The owning senior or executive management must formally accept it; the security team, analyst, or IT operations cannot accept risk on the business's behalf. This formal acceptance is the same act the NIST RMF calls Authorize.

Trap Having a security engineer or analyst accept residual risk, when acceptance is a business-owner authority.

5 questions test this
Doing nothing about a known risk is rejection, not acceptance

Risk acceptance is a deliberate, documented management decision to retain a risk after weighing the cost of treatment. Silently ignoring a known risk is risk rejection, which is explicitly not a legitimate response and is indefensible if the risk materializes. The difference is documentation and authority: acceptance is signed off, rejection is neglect.

Trap Treating an organization that ignores a documented risk as having accepted it, when unowned inaction is rejection.

Classify controls by category and by type at the same time

Controls have a category describing how they are implemented (administrative/managerial, technical/logical, physical) and a type describing what they do relative to an event (preventive, detective, corrective, deterrent, recovery, directive, compensating). A single control can hold one category and several types, so a question asking you to classify a control usually wants both axes named. For instance an audit log is a technical control that is primarily detective.

Trap Answering a control's category (technical, physical, administrative) when the stem is asking for its type (preventive, detective, corrective), or vice versa.

A compensating control substitutes when the primary control is infeasible

A compensating control is an alternative safeguard used when the intended primary control cannot be implemented, providing comparable protection by another means. It is the answer when a stem says a required control is impractical (cost, legacy system, business constraint) yet the risk must still be addressed. PCI DSS, for example, allows documented compensating controls in place of a specific requirement.

Trap Calling any backup or secondary control compensating; the term specifically means a substitute for an infeasible required control.

The NIST RMF runs seven steps and loops back to monitoring

The NIST Risk Management Framework (SP 800-37 Rev. 2) is a seven-step system lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. Categorize sizes the system's impact, Select chooses SP 800-53 controls, Authorize is senior-official sign-off to operate, and Monitor feeds findings back into the cycle for continuous improvement. The order is testable, so memorize the sequence.

Trap Placing Select or Implement before Categorize, when categorization of system impact must come first to drive control selection.

1 question tests this
SP 800-30 is the assessment guide; SP 800-37 is the management framework

NIST SP 800-30 Rev. 1 is the Guide for Conducting Risk Assessments and defines the assessment methodology (prepare, conduct, communicate, maintain) across three tiers: organization, mission/business process, and information system. NIST SP 800-37 is the broader Risk Management Framework that wraps assessment inside a full system lifecycle. A stem about how to assess risk points to 800-30; one about the end-to-end governance lifecycle points to 800-37.

Trap Citing SP 800-37 for the risk-assessment methodology, when 800-30 is the assessment guide and 800-37 is the broader lifecycle framework.

NIST CSF 2.0 added Govern to make six functions

The NIST Cybersecurity Framework is organized around functions; version 2.0 added Govern, giving six: Govern, Identify, Protect, Detect, Respond, Recover. Govern was elevated to make risk governance and organizational context a first-class function alongside the operational ones. CSF is a voluntary, outcome-based framework, distinct from the RMF's prescriptive control lifecycle.

Trap Listing only the original five CSF functions (Identify, Protect, Detect, Respond, Recover) and omitting Govern, which CSF 2.0 added.

ISO/IEC 27005 is the international information-security risk standard

ISO/IEC 27005 provides guidance on managing information-security risk and complements an ISO/IEC 27001 information security management system (ISMS). Where 27001 specifies the ISMS requirements and 27002 lists control guidance, 27005 governs the risk-management process within that system. It is the standards-based alternative to the NIST publications for organizations aligned to ISO.

Trap Picking ISO/IEC 27001 or 27002 as the risk-management standard, when 27001 specifies the ISMS and 27002 lists controls, leaving 27005 for the risk process.

A KRI signals rising exposure; a KPI measures performance

A Key Risk Indicator is a leading metric that warns of increasing risk exposure before a loss occurs, such as the percentage of systems past their patch deadline. A Key Performance Indicator is a lagging metric of how well a control or process is performing, such as mean time to detect. A stem describing an early-warning signal wants KRI; one describing how effective a control already is wants KPI.

Trap Calling a backward-looking performance measure a KRI; an early-warning exposure metric is the KRI, the performance measure is the KPI.

7 questions test this
Assess the risk before selecting any control

When a newly discovered risk asks what to do first, the answer is to assess and analyze it before buying or deploying any safeguard, because you cannot rationally treat a risk you have not sized. Jumping straight to a control skips the analysis that tells you whether the control is even cost-justified or correctly targeted. Identify and analyze, then respond.

Trap Choosing to deploy a specific control as the first action, before the risk has been assessed and prioritized.

Risk maturity models chart the climb from ad-hoc to optimized

A risk maturity model describes an organization's progression from ad-hoc, reactive risk handling through defined and managed stages to an optimized, metrics-driven program. It frames continuous improvement as moving up maturity levels rather than treating each risk in isolation. Higher maturity means risk decisions are consistent, measured, and integrated into governance rather than improvised per incident.

1 question tests this
The asset owner is accountable even when a custodian operates the control

Accountability for a risk and its asset rests with the owner, typically senior or business management, even when a custodian or third party operates the safeguard day to day. Operating a control or processing data does not transfer accountability; responsibility for daily handling can be delegated, but accountability cannot. This is why residual-risk acceptance is an owner decision.

Trap Assuming a managed-service provider or IT custodian becomes accountable for the risk because it runs the control.

Defense-in-depth layers diverse controls because no single control suffices

Defense-in-depth integrates people, technology, and operations into multiple overlapping layers so that if one control fails or is bypassed, others still protect the asset - the core rationale being that no single mechanism stops every threat. Strength comes from heterogeneity (e.g., firewalls from different vendors) and segmentation (network zones/conduits or micro-segmentation) that limit lateral movement and align with zero-trust principles.

Trap Stacking several copies of the same vendor's product is not true defense-in-depth; one shared flaw defeats every identical layer at once.

5 questions test this
Risk appetite is set by the board; risk tolerance is the operational threshold

Senior leadership/the board declares the enterprise risk appetite - the broad amount of risk it is willing to pursue - and management translates it into risk tolerance: specific, often quantitative thresholds for business processes. A residual risk (computed as probability times impact after controls) is acceptable when it falls within the established appetite/tolerance; otherwise further treatment is required.

Trap Risk appetite is the high-level, strategic statement; risk tolerance is the measurable operational limit derived from it - they are not interchangeable.

3 questions test this

Also tested in

References

  1. NIST SP 800-30 Rev. 1: Guide for Conducting Risk Assessments Whitepaper
  2. NIST SP 800-37 Rev. 2: Risk Management Framework (About the RMF) Whitepaper
  3. NIST Cybersecurity Framework (CSF) 2.0 Whitepaper