This chapter covers the second objective in Domain 5.0, Security Architecture, of the CompTIA Security+ exam.

In this chapter, we will look at the elements of effective security governance, investigating all the different stages of risk management, from identification to risk assessment and analysis, and look at calculating loss using Single Loss Expectancy (SLE), Annualized Rate of Occurence (ARO), and Annualized Loss Expectancy (ALE). In the final sections, we will consider the purpose of risk registers, risk tolerance, and risk management strategies with risk reporting and Business Impact Analysis (BIA).

Risk is the probability that an event will happen, but risk can also bring profit. For example, if you place a bet on roulette at a casino, then you could win money. However, it is more likely that risk will result in financial loss. Companies will adopt a risk management strategy to reduce the risk they are exposed to; however, they may not be able to eliminate...

Risk analysis is a pivotal process for identifying and managing potential risks that could impact an organization adversely. The process brings together several key components, such as probability, likelihood, exposure factor, and impact, each playing a crucial role in giving a picture of the overall risk landscape. There are different types of risk analysis that focus on different modes of looking at risk, qualitative or quantitative, serving different purposes in the risk management strategy. To allow quantitative analysis, there are methods of quantifying different aspects of risk in order to help businesses make informed decisions. These concepts are discussed here:

• Qualitative risk analysis: Qualitative risk analysis uses subjective judgment to categorize risks as high, medium, or low, focusing on the potential impact, such as the likelihood of occurrence. One of the aspects of qualitative risk analysis is a risk matrix/heat map, which shows the severity...

A risk register is a crucial document in risk management processes that provides a detailed log of risks identified during a risk assessment. It includes Key Risk Indicators (KRIs), identifies risk owners, and specifies the risk threshold, helping organizations to monitor and manage risks effectively. Let’s look at each of these in turn:

• KRIs: KRIs are an essential element of a risk register. They serve as metrics that provide an early signal of increasing risk exposure in various areas of the organization. KRIs act as early indicators of risk and so are instrumental in anticipating potential problems and allowing organizations to enact proactive measures to mitigate such risks. A KRI in a financial institution could be the number of failed transactions in each period, identifying potential issues in the transaction process that could lead to more significant risks if not addressed promptly.
• Risk owners: Assigning risk owners is a fundamental step in...

Risk tolerance is the organization’s personalized threshold for embracing the unknown. It’s a finely tuned balance that guides strategic decisions to combine financial strength with market dynamics and innovation pursuits.

A venture capitalist demonstrates a high risk tolerance by investing substantial funds in a start-up with groundbreaking ideas but no proven track record. In taking this risk, they accept the possibility that the entire investment may be lost in pursuit of substantial returns.

Similarly, a retiree opting to put their savings into fixed deposits or government bonds showcases a low risk tolerance by prioritizing capital preservation and consistent (albeit smaller) returns over potential high gains associated with higher risk.

A critical component of security governance is risk appetite, which is the level of risk an organization is willing to bear in pursuit of its objectives. Risk appetite sets the tone for venturing into new territories, while risk tolerance serves as the safety net, indicating when it’s time to pull back to protect the organization’s stability and objectives. Risk appetite usually falls into three categories, expansionary, conservative, and neutral, as follows:

• Expansionary risk appetite: Organizations with an expansionary risk appetite typically embrace higher levels of risk in an effort to foster innovation and gain a competitive edge. These organizations often prioritize growth and expansion and seek higher returns and market shares over stringent security protocols, potentially exposing them to a spectrum of threats.
• Conservative risk appetite: In contrast to those with expansionary appetites, organizations with a conservative risk appetite...

Risk management is an integral component of successful organizational functioning, aimed at identifying, assessing, and addressing risks. By employing effective risk management strategies, organizations can enhance decision-making, improve performance, and preserve value. This section explores various risk management approaches, each of which offers a distinct way to deal with potential hazards, as follows:

• Risk transference: In this approach, significant risks are allocated to a third party, often through insurance or outsourcing your IT systems. For example, companies recognizing the potential damages from a road traffic accident will purchase car insurance to transfer the financial risk to the insurer. Similarly, businesses are increasingly adopting cybersecurity insurance to cover potential financial losses, legal fees, and investigation costs stemming from cyberattacks.
• Risk acceptance: Risk acceptance is the acknowledgment of a specific...

Risk reporting is the process of systematically gathering, analyzing, and presenting information about risks within an organization. It serves as a valuable tool for decision-makers, helping them assess the potential impact of various risks and allocate resources judiciously. Here are some key reasons why risk reporting is essential:

• Informed decision-making: Risk reports provide decision-makers with timely and relevant information about potential risks. Armed with this knowledge, they can make informed decisions that minimize negative impacts and maximize opportunities.
• Stakeholder confidence: Effective risk reporting enhances stakeholder confidence. Investors, customers, and partners are more likely to trust organizations that transparently disclose their risk management strategies and outcomes.

Compliance and regulation: Many industries are subject to stringent regulatory requirements. Proper risk reporting ensures compliance with these regulations...

BIA is carried out by an auditor with the objective of identifying a single point of failure. The auditor checks for any component whose failure would significantly impair or halt a company’s operations. The auditor evaluates the potential impact of disruptions, considering aspects such as loss of sales, additional expenses such as regulatory fines, and the potential procurement of new equipment. BIA primarily focuses on understanding the consequences, both operational and financial, that may follow a disaster or disruption. Some key concepts of BIA include the following:

• Recovery Point Objective (RPO): The RPO is determined by identifying the maximum age of files or data that an organization can afford to lose without experiencing unacceptable consequences. It’s fundamentally related to data backup frequency. For instance, if a company sets an RPO of three hours, it means the organization must perform backups at least every three hours...

This chapter covered the core elements of effective security governance and its crucial role in the management of an organization. This included an exploration of risk identification, assessment, and analysis, as well as a review of risk registers, risk tolerance, and risk management strategies with risk reporting. We also examined aspects of BIA such as RPO, RTO, MTBF, and MTTR, and how to calculate the annual loss expectancy.

The knowledge gained in this chapter will prepare you to answer any questions relating to Exam Objective 5.2 in your CompTIA Security+ certification exam.

The next chapter will be Chapter 25, Explain the processes associated with third-party risk assessment and management.

Explain elements of the risk management process.

• Risk identification: Identifying a risk
• Risk assessment: Assessing the impact or risk:
  • Ad hoc risk assessment: Spontaneous evaluation of a risk
  • Recurring risk assessment: Regularly scheduled risk evaluations conducted at set intervals
  • One-time risk assessment: Occasional, project-specific risk evaluations
  • Continuous risk assessment: Ongoing, automated monitoring and updating of risk factor
• Risk analysis:
  • Qualitative risk analysis: Subjective evaluation based on non-numeric factors
  • Quantitative risk analysis: Data-driven assessment using numeric values and calculations
  • Single Loss Expectancy (SLE): Estimation of potential loss from a single risk occurrence
  • Annualized Loss Expectancy (ALE): Expected annual loss from a specific risk
  • Annualized Rate of Occurrence (ARO): Average frequency of a risk happening
  • Probability: Likelihood of a specific risk event occurring.
  • Likelihood: The chance of a risk event taking place...

The following questions are designed to check that you have understood the information in the chapter. For a realistic practice exam, please check the practice resources in our exclusive online study tools (refer to Chapter 29, Accessing the online practice resources for instructions to unlock them). The answers and explanations to these questions can be found via this link.

1. Which of the following is a phase in risk management during which potential risks are determined?
   1. Risk assessment
   2. Risk identification
   3. Risk mitigation
   4. Risk monitoring
2. Which type of risk assessment is performed to monitor and assess risks in real-time and is most effective for instantaneous detection of issues?
   1. Ad hoc
   2. Scheduled
   3. Continuous
   4. Recurring
3. Which type of risk assessment typically occurs at regular and scheduled intervals?
   1. One-time
   2. Ad-hoc
   3. Continuous
   4. Recurring
4. In risk management strategies, which analytical approach quantifies risk by applying numerical values, statistical methods...