General security

Understanding Security Risk Concepts

Mahwish Khan
April 18, 2017 by
Mahwish Khan

Understanding and analyzing the various risk factors to network security is of the utmost importance in information technology. Categorizing various risks, implementing control types, and identifying threat vectors are all concepts that information security experts must master to protect networks against malicious threats. The CompTIA Security+ exam is designed to test your knowledge of these integral information technology concepts.

What control types do I need to know for the Security+ exam?

Security+ tests your knowledge of three classes that are broken down into separate types which are Technical Control Types, Management Control Types, and Operational Control Types.

Technical Control Types

Technical Control Types can be thought of regarding controlling access. This control type focuses on using technology and considers elements such as authenticating and controlling who has access, the type of access allowed, as well as the specific resources that are allowed to be accessed. Furthermore, Technical Control Types considers how systems are protected, and how communications between systems are protected. Some important elements of Technical Control are encryptions to protect the confidentiality of data, antivirus software, and firewalls.

Management Control Types

Policies and procedures for securing networks are integral to Management Control Types. It is not enough to simply install a firewall. Information technology professionals must also understand the policies and procedures for correctly configuring firewalls. Thus, planning and assessment methods are used to manage and reduce security risks. This Management Control Type deals with risk assessment procedures. Additional Management Control Types involve vulnerability tests, which seeks to test for weaknesses in systems, and penetration tests, which actively attempt to exploit vulnerabilities.

Operational Control Types

Operational Control Types are used to help ensure that the daily organizational operations fall in line with the organization's overall security plan. A significant difference between Operational Control Types and Technical Control Types is that Operational Control Types are performed by people on a day-to-day basis and not by technology. Some Operational Controls include network security training, planning for contingencies, and configuration and change management training.

What risk reduction policies do I need to know?

Adopting specific risk reduction policies are tantamount to ensuring proper risk management. To this end, you will need to understand privacy policies, acceptable use policies, security policies, separation of duty policies, and least privilege policies.


These policies guard personally identifiable information and must contain several features. However, several federal and state laws regulate privacy policies, so understanding those which regulate your specific organization is imperative.

Acceptable Use

Acceptable use policies explain what users can do with an organization's network access. These policies often contain information about using email and messaging software for personal use, as well as specifics about access times, and how much storage space is available. Ultimately, users should receive the least possible access. However, access should allow users to complete substantive actions.

Acceptable use policies typically provide clear and understandable language and detail the user's expected behavior on the network, including acceptable and not acceptable uses. Additionally, acceptable use policies typically provide enforcement guidelines, privacy statements, consent forms, and liability disclaimers.


Security policies establish guidelines and procedures for securing against malicious threats and often involve encryptions for passwords and sensitive data, policies for configuring antivirus software and configuring firewalls.

Separation of Duties

Separation of duties consists of spreading the tasks and account privileges of a specific security process, or security processes, among several people to prevent fraud and corruption. This prevents a single person from gaining too much access to sensitive information.

Least Privilege

Least privilege designates users the minimum permissions needed to conduct tasks on the network. This is necessary to minimize risk, particularly against threats like viruses that run through systems used by users with elevated permissions.

What do I need to know about risk calculation?

Ultimately, calculating risk involves comparing the actual cost of prevention against malicious threats versus the expected cost of loss because of those threats. Risk calculation is broken into several elements. The Security+ exam, therefore, tests for the following concepts:


While analyzing threats, the information technology professional should consider how likely it is that the threat will occur. Essentially, likelihood is the probability of a threat event happening.Gauging the likelihood of a threat can involve both estimating and using historical data. The idea is that, ultimately, the cost of risk prevention should not outweigh the cost of the associated risk.

Annual Loss Expectancy

Annual loss expectancy (ALE) is the likelihood of a threat event happening in a year's time. It is calculated by multiplying the single loss expectancy (SLE) value and the annualized rate of occurrence (ARO). The formula for calculating annual loss expectancy is SLE x ARO = ALE.


The impact is a broad term that is generalizable across organizational structures. Each organization will have specific risk assessment procedures and thus weigh cost factors differently. However, those threats which are more likely to have a longer lasting and more impactful result, such as, for instance, creating downtime on the network, or those threats which access personally-identifiable information are viewed as the most impactful and thus has higher asset value.

Single Loss Expectancy

Single loss expectancy (SLE) is the likelihood of a specific threat of one kind occurring. Single loss expectancy multiplies asset value by the probability of threat exposure. The formula for calculating single loss expectancy is asset value x probability = SLE.

Annualized Rate of Occurrence

Annualized rate of occurrence is the likelihood of a specific threat taking place in the time frame of one year.

Mean Time to Failure

Mean time to failure considers the time a system is available or the time in which the system has not failed. Thus, the length of time between outages and the time that a system is available is the time to failure. These times are averaged to determine the system's mean time to failure (MTTF).

Mean Time to Repair

The amount of time it takes to fix a system so that it is back up and running is called the mean time to repair (MTTR). Although repairing systems is complicated and can take quite some time, mean time to repair is typically measured in hours.

Quantitative vs. Qualitative Risk Analysis

It is not always feasible to measure risk quantitatively because not all risk assessments involve numerical measurements. Since this is the case, qualitative measures are often used. While it can be difficult to remember the differences between the two risk analysis methods, the basic distinction between the two paradigms is that quantitative analysis involves counting things, and qualitative analysis does not. To that end, qualitative analysis is subjective.

Quantitative Analysis

Quantitative analysis requires measurements with numerical values that can be counted. While often viewed as more precise, it is often more difficult, time-consuming, and costly to perform quantitative risk assessment than it is to conduct a qualitative analysis.

Qualitative Analysis

While qualitative analysis might use numbers, this risk assessment does not rely on them. Rather than numbers, the qualitative analysis relies on theories, estimates, focus groups, surveys, and things like brainstorming and collaborative efforts. Ultimately, qualitative analysis is not viewed as precise as quantitative analysis because it relies on more subjectivity.

What threat vectors do I need to know?

Threat vectors are the paths that threats take to get into a system. There are numerous threat vectors to consider such as the perimeter of the network, a user attack, email, web applications such as browsers, remote access hotspots, printers, scanners, and mobile devices to name a few.

What risk definitions do I need to know?

In the information above, you have seen that there are numerous concepts involved with assessing and calculating security risk. When it comes to the specific definitions of risk, the Security+ exam pays particular attention to five risk factors.

Risk Avoidance

As the term suggests, administrators can decide to avoid certain risk factors based on what they identify as potentially risky actions. For example, a company might determine that an application requiring open firewall ports is too much of a risk to network security, so the company will decide to discontinue use of the application or not allow the application to have network access, to begin with. An important aspect of risk avoidance is threat assessment and calculated decision-making. Of course, avoiding risk can sometimes mean avoiding beneficial network elements, so risk avoidance involves weighing the potential benefits against the risks and making the best decision for your organization.

Risk Acceptance

A certain amount of risk is unavoidable no matter the situation. In network security, administrators must practice risk acceptance not only when the benefits of something outweigh its risks, but also in general practice. The risk exists, so to build a functional network, some risk acceptance is necessary. This means acknowledging the risks of an action and choosing to proceed anyway. Often, organizations will allow for a particular level of risk, which defines their risk tolerance.

Risk Deterrence

While administrators might have to accept risk in network operations, they can also actively discourage intruders and malicious intent – this is called risk deterrence. To deter risks, administrators must employ elements of threat and intimidation. Websites will often publicly post their policies for dealing with intruders as a way to intimidate them from breaking into the network.

Risk Mitigation

Deterrence is sometimes included with risk mitigation, which involves actively taking steps to reduce the level of risk. Implementing layers of security on a network is one part of risk mitigation, but it can also include cyber security training for users. Anything that reduces risk can be referred to as risk mitigation.

Risk Transference

When companies shift risk to another party, it is called risk transference. Usually, companies will buy insurance or contract with a third-party to manage network security. Offloading data to a cloud service is one way that companies are using risk transference. Third-party cloud services share the risk with the company, and the chances of infiltration are reduced.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.