Security+: Understanding Security Risk Concepts (SY0-401) [DECOMMISSIONED ARTICLE]

November 21, 2017 by Fakhar Imam

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Risk can be defined as “the possibility that something (such as virus or malware attack) could disclose, destroy, or damage data or other resources in the organization.” The purpose of security is to prevent risks and to ensure authorized access. By using risk management and information security strategies, security professionals identify some factors that could disclose or damage data. After that, they recommend and implement cost-effective solutions for mitigating those risks.

Risk analysis is the process whereby the goals of the risk management are achieved. Risk analysis procedures include:

  • Analyzing an environment for risks.
  • If the risk(s) is found in the first step, evaluating the cost of damage it would cause.
  • Assessing the cost of various countermeasures for one or more risks.
  • Preparing cost/benefit analysis report for protection and presenting it to executive authorities.

What Control Types Do I Need To Know for the Security+ Exam?

There are three control types that you need to know for the Security+ exam: technical, management, and operational. Control types are used to implement security. A control can be a new product, a modified existing product, the removal of a product from the IT environment, or a redesign of an IT infrastructure. Controls are vital for protecting the confidentiality, integrity, and availability of data and information.


Technical controls involve the hardware or software tools that manage access to systems and resources and provide protection for them. Various examples of technical controls are listed below.

  • Encryption
  • Smart cards
  • Passwords
  • Biometrics
  • Constrained interfaces
  • Access control lists (ACLs)
  • Protocols
  • Firewalls
  • Routers
  • Intrusion detection systems (IDS)
  • Clipping levels


Management controls are policies and procedures that should be addressed by the organization’s executives and managers. Management controls define how the overall access control will be implemented and enforced. The following list includes various examples of management controls.

  • The system development lifecycle (SDLC)
  • Legal and regulatory
  • Computer security lifecycle
  • Vulnerability management/scanning
  • Policies and procedures
  • Background checks
  • Data classification
  • Security training
  • Vacation history
  • Work Supervision


Operational controls are designed to increase individual and group system security on a daily basis. They are executed by people who must have technical expertise and understanding of operational controls. Examples of operational controls include:

  • User awareness and training
  • Fault tolerance and disaster recovery plans
  • Incident handling
  • Computer support
  • Baseline configuration development
  • Environmental security

What Risk Reduction Policies Do I Need to Know?

Reducing risk is a significant factor in any organization. Security management identifies the risk and then implements the security policies to eliminate or mitigate that risk.

Privacy Policy

A privacy policy is a legal document explaining how the organization uses and manages customer’s data and how the security of personally identifiable information (PII) will be ensured. In addition to customers, there are some others who can be part of the privacy policy. They include suppliers, contractors, employees, and external visitors to an organization’s online offering. There is no universal standard for an organization’s privacy policy, so each enterprise has to develop its own.

Acceptable Usage Policies (AUPs)

AUPs define what is and what practices and activities aren’t acceptable or appropriate uses of company resources and equipment. Usually, each employee is required to sign an AUP before starting to work in the organization. Failure to comply with an AUP may result in a warning, penalty, or job termination as a last resort. For example, if a manager asks an employee to repair a system that is outside the AUP’s parameter, the employee can refuse to do so. If he/she is found working on that system, then he/she will be subjected to termination due to AUP’s violation.

Security Policy

Security policy is the top tier of formulating a company’s essential protection-plan documentation. A security policy is a document that defines the realm of security required by the company and ensures the protection of its assets. It also identifies the functional areas of data processing and defines all relevant terminologies. A security policy has three categories: regulatory, informative, and advisory.

Separation of Duties

Separation of duties means that one or more groups are assigned different tasks and a unique administrator is assigned to oversee each group. Separation of duties helps to prevent conflicts of interests, reduces errors, and prevents frauds. For instance, if one employee orders goods from suppliers, then another employee should add the entries of those goods to the accounting system. This prevents the purchasing employee from diverting incoming goods for his/her own use.

Least Privilege

Least privilege means that the minimum necessary access, right, privilege, and permissions that are required for the user to perform his/her task are assigned to that user. This prohibits the user from performing any task that is beyond the scope of his/her assigned responsibility. Management should periodically review the least privileges to check for privilege misalignment with job responsibilities. Privilege misalignment often occurs when an employee gathers privileges as his/her job responsibilities change with the passage of time. The accumulation of these excessive privileges indicates that an employee has more privileges than the principles of least privilege allows. Under such circumstances, the least privilege review is necessary.

What Do I Need to Know About Risk Calculation?

Risk calculation is an essential part of an organization’s security efforts. Risk calculation is a broad term that includes risk identification, risk assessment, vulnerability management, and risk analysis. It helps an organization address problems in its security policy. The main goal of risk calculation is to mitigate the impacts of risk on the enterprises by applying countermeasures and safeguards.


Likelihood is the probability that a threat will be realized within a specific period process, as estimated by security management. Likelihood estimates are performed on a yearly basis through Annualized Rate of Occurrence (ARO). ARO is based on the statistical probability of how many times a risk will occur in a year.

Single Loss Expectancy (SLE)

SLE is the potential dollar-value loss expected from the occurrence of a single risk incident. SLE is calculated with the help of the following equation.

SLE = Asset Value x Exposure Factor (EF)

EF is the percentage of a loss to a specific asset if a risk is realized.

Annualized Loss Expectancy (ALE)

ALE is the monetary loss that can be expected due to a risk over a period of one year. ALE can be found by multiplying the SLE and ARO. Its mathematical equation is derived as:


One of the important features of ALE is that it is directly used in a cost/benefit analysis. For example, if a risk has ALE of $10,000, then it will be useless to spend $20,000 per year on countermeasures to eliminate that risk.


Impact measures the loss or damage that will be or could be inflicted if a potential risk is realized. The exposure factor (EF) indicates the impact of a risk.


Aging hardware often needs repair or replacement. Security management can use some best practices to manage the hardware lifecycle. These practices involve mean time to repair/restore (MTTR), mean time to failure (MTTF), and mean time between failures (MTBF).

Quantitative vs. Qualitative Risk Analysis

Both quantitative and qualitative are risk assessment methodologies that are used to evaluate threats and their related risks.

Quantitative risk analysis assigns numeric values to the loss of an asset. This method is cheaper, easier, and quicker but it cannot give a total or assign asset value for potential monetary loss. For example, with this method, the ranges from 1 to 20 or from 1 to 100 can be assigned. The probability of a risk will be high if the number is higher. As an example, the computer system with no antivirus program has a high probability of risk. Quantitative risk calculations can be performed by using ALE, ARO, and SLE calculations.

Contrarily, qualitative risk analysis assigns the intangible and subjective values to the loss of an asset. Unlike its counterpart, it doesn’t assign dollar figures to possible loss. Instead, the threats are ranked on a scale to evaluate their risks, effects, and costs. Several techniques can be used to perform qualitative risk analysis. These techniques include brainstorming, Delphi technique, storyboarding, surveys, questionnaires, checklists, one-on-one meetings, and interviews.

What Threat Vectors Do I Need to Know?

A threat vector or an attack vector is the path whereby an attacker can gain access to a targeted system to deliver malicious outcomes. Threat vectors include viruses, emails, pop-up windows, attachments, deception (human factor), chat rooms, and instant messages.

Risk Avoidance, Transference, Acceptance, Mitigation, Deterrence

The outcomes of risk analysis are presented in the form of various documents that include:

  • Complete and detailed value of all assets
  • Comprehensive list of all risks and threats, rate of occurrence, and the extent of losses if risks are realized
  • List of threat-specific countermeasures that identifies their ALE and effectiveness
  • Cost/benefit analysis for each countermeasure

After the risk analysis has been completed, security management must address all risks. Management has four possible responses to address those identified risks.

  1. Reduce or mitigate: This involves the implementation of countermeasures and safeguards.
  2. Transfer or assign: This places the cost of a loss inflicted by a risk onto another entity. The common forms of transferring or assigning risk are outsourcing and purchasing insurance.
  3. Accept: This indicates that the management is agreed to accept the loss as a consequences of the risk.
  4. Reject or ignore: This amounts to hoping that the risk will never be realized. It’s not a prudent response or wise approach.

InfoSec Security+ Boot Camp

The InfoSec Institute offers a Security+ Boot Camp that teaches the information theory and reinforces that theory with hands-on exercises that help you learn by doing.

InfoSec also offers thousands of articles on all manner of security topics.

Posted: November 21, 2017
Fakhar Imam
View Profile

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.