5.2 Risk management
📘CompTIA Security+ (SY0-701)
Risk Analysis
Risk analysis is all about understanding the risks that could affect your IT systems, how likely they are to happen, and how much damage they could cause. It helps organizations make decisions about security investments and protections.
There are two main types of risk analysis:
1. Qualitative vs. Quantitative Analysis
A. Qualitative Risk Analysis
- Definition: Looks at risks in a descriptive way, rather than using exact numbers.
- Purpose: Helps prioritize risks based on impact and likelihood.
- How it works:
- Risks are often ranked as High, Medium, or Low.
- Focuses on impact (how bad it would be) and probability (how likely it is).
- IT Example:
- A server might have a high chance of being attacked by ransomware. The impact could be very high because data would be lost.
- This risk would be classified as High even without exact numbers.
Pros: Fast, easy to understand, works well for initial risk assessment.
Cons: Subjective, relies on judgment rather than hard data.
B. Quantitative Risk Analysis
- Definition: Uses numbers and data to calculate risk.
- Purpose: Helps calculate potential financial impact or resource loss.
- How it works:
- Uses formulas to determine expected loss.
- Requires data about asset values, probabilities, and historical incidents.
Key Terms in Quantitative Risk Analysis:
- SLE (Single Loss Expectancy)
- Definition: How much one event would cost the organization.
- Formula: SLE=Asset Value (AV)×Exposure Factor (EF)\text{SLE} = \text{Asset Value (AV)} \times \text{Exposure Factor (EF)}SLE=Asset Value (AV)×Exposure Factor (EF)
- Example:
- Asset: Database server valued at $100,000
- Exposure Factor (EF): 0.3 (30% of value is lost if compromised)
- SLE = $100,000 × 0.3 = $30,000
- ARO (Annual Rate of Occurrence)
- Definition: How many times a particular risk is expected to happen in a year.
- Example:
- Server ransomware attacks expected 2 times a year → ARO = 2
- ALE (Annual Loss Expectancy)
- Definition: Expected total annual loss from a risk.
- Formula: ALE=SLE×ARO\text{ALE} = \text{SLE} \times \text{ARO}ALE=SLE×ARO
- Example:
- SLE = $30,000
- ARO = 2
- ALE = $30,000 × 2 = $60,000 per year
- Probability
- The likelihood that a risk will occur.
- In quantitative analysis, this is usually expressed as a percentage.
- Example: 10% chance of a server outage in a year.
- Exposure Factor (EF)
- How much of the asset value is at risk if an incident occurs.
- Expressed as a percentage from 0 to 1.
- EF = 0.3 → 30% of the asset is lost if incident happens.
- Impact
- The effect a risk has on the organization.
- In qualitative terms: High, Medium, Low
- In quantitative terms: dollar value or system downtime.
How It Fits Together – Example in IT
Imagine your company has a web server that hosts client applications:
- Asset Value (AV) = $50,000
- Exposure Factor (EF) = 0.4 (40% of the server’s value is at risk if attacked)
- SLE = 50,000 × 0.4 = $20,000
- Annual Rate of Occurrence (ARO) = 3 (attacks expected 3 times/year)
- ALE = 20,000 × 3 = $60,000/year
- This means, based on data, a ransomware attack could cost $60,000 per year.
- This helps management decide whether to invest in better backups or antivirus software.
Key Points for the Exam
- Qualitative vs Quantitative
- Qualitative = descriptive (High/Medium/Low)
- Quantitative = numeric (SLE, ALE, ARO)
- Formulas to Remember:
- SLE = AV × EF
- ALE = SLE × ARO
- Terms:
- AV = Asset Value
- EF = Exposure Factor
- SLE = Single Loss Expectancy
- ARO = Annual Rate of Occurrence
- ALE = Annual Loss Expectancy
- Probability = Likelihood of occurrence
- Impact = Consequence of the risk
- Purpose:
- Helps prioritize security controls.
- Justifies budget decisions.
- Supports risk acceptance, mitigation, or transfer strategies.
💡 Tip for Students:
When the exam asks about risk analysis, focus on which formula to use and how to classify risk. Qualitative analysis is about ranking, quantitative is about calculating loss. Both are used in IT risk management.
