Security+: Risk management processes and concepts
The risk management process is a structured approach to risk management in organizations. Consistently implemented, it allows risks to be identified, analyzed, evaluated and managed in a uniform, efficient and focused manner. Risk management is an essential part of cybersecurity, which is why it's covered in the CompTIA Security+ certification, the most popular entry-level cybersecurity certification.
Risk management is covered in several areas of the CompTIA Security+ exam. The main concepts are in just one of the Security+ exam domains. That's domain 5: Security Program Management and Oversight. The two primary objectives are:
- Objective 5.2: Explain the processes associated with third-party risk assessment and management.
- Objective 5.3: Summarize elements of effective security compliance.
Read on to learn more about key risk management concepts. For more information on the Security+ exam, download our free Security+ ebook or explore Infosec's Security+ Training Boot Camp.
Understanding the context of risk management
Risk assessment and mitigation strategies are part of managing risks in many organizations worldwide. This approach represents a critical piece of work within the security horizon, as it includes the identification and evaluation of potential risks and their impact. The risk process includes brainstorming sessions, where the team is asked to create a list of everything that could go wrong.
Three concepts are important to consider when risk assessment is established:
- The external context is the environment in which the entity operates (the type of companies, such as cultural, financial, and political) and the potential impact that risk can produce.
- The internal context includes factors within the entity relevant to the risk assessment, such as objectives, strategy, organizational capabilities, culture and more.
- The risk management context is the goals and objectives of the risk management activity, such as determining who is responsible for each component and what is in scope.
Risk management concepts
This section describes some of the most well-known concepts in risk management, which are adopted by IT companies and information security specialists.
Risk identification
The main goal of risk identification is to recognize all possible risks, not eliminate risks from analysis or develop solutions for mitigating risks (because those functions are carried out during the risk treatment and mitigation steps). A disciplined process typically involves using checklists of potential risks and evaluating the likelihood that those events might happen. For example, some companies develop risk checklists based on experience from past incidents and projects.
The following activities can conduct risk identification:
- Identification of assets: anything that has value to the organization and therefore requires protection (software or hardware) — network, website, organization’s infrastructure, business processes, web servers, computers, mobile devices and more
- Identification of threats: theft of media or documents, tampering with hardware and software, eavesdropping, software malfunction etc.
- Identification of existing controls: work costs, infrastructure security plan — in general, it’s an opportunity to check to ensure that the controls are working correctly (such as information obtained from previous audits)
- Identification of vulnerabilities: via pentesting audits, code review, management routines etc.
- Identification of consequences: damage or consequences to the organization that an incident scenario could cause should be identified
Risk analysis
A risk analysis quantifies the statistical likelihood of an impact of a particular risk and its frequency of occurrence afterward. Using the combination of these two factors, one can determine the severity of the risk, which may be either positive or negative.
Although there are many ways of calculating risk, there is a generic form based on a matrix called a risk heat map. This is a visual way to represent risk, usually with one axis focused on likelihood and the other on impact. It provides organizations with a way to identify the most likely and impactful events vs. events that may be severe but not likely or likely but not severe.
Risk evaluation
Risk evaluation allows for determining the tolerability of each risk. It should be noted that tolerability is different from severity. Tolerability allows for determining which risks need treatment and the relative priority. This can be achieved by comparing the risk severity established in the risk analysis step with the risk criteria generally found in the consequence criteria already defined in the table above.
Risk treatment and risk reduction
Once the particular risk has been identified, a risk mitigation plan should be developed. This is a plan to minimize and contain the impact of an unexpected event.
Risk can be grouped into different categories:
- Risk avoidance involves developing alternative strategies that have a higher probability of success but a higher cost.
- Risk partnering involves working with others to mitigate risk.
- Risk mitigation is an investment of funds to reduce the identified risks.
- Risk transfer is a risk reduction method that shifts the risk to another party.
Communication and consultation
Risk communication is a process that interacts bidirectionally with all other processes of risk management. Communication and consultation is an essential attribute of good risk management. Risk management cannot be controlled and managed in an isolated environment — it’s fundamentally communicative and consultative.
Good risk communication:
- Encourages stakeholder engagement and accountability
- Should be used fully
- Meets the requirements of all internal and stakeholders that are involved in the process
- Allows for expert opinion to be brought in
- Allows informing other entity processes, such as corporate planning and resource allocation
Monitoring and review
This represents an ongoing process where security controls are monitored continuously. Business requirements, vulnerabilities and threats can change constantly. Monitoring and review can be periodic and based on trigger events or changing circumstances.
In this sense, the key objectives of risk monitoring and review can include:
- Changes in the cyber threat landscape
- Capacity to identify new types and kinds of cyberattacks and threats
- Maintaining a proactive stance in the cyber risk environment
- Analyzing and learning lessons from events, including near-misses, successes and failures
It is important to note that any updates, revisions or modifications made to the risk management process should be documented and a version history kept. Risk management processes are critical for the business security horizon.
For more on the Security+ certification, view our Security+ certification hub.