Domain 1 of 5 · Chapter 2 of 5

Risk Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • What risk is, and the parts that make it
  • The risk management lifecycle
  • Treating risk: four responses and risk tolerance
  • Exam-pattern recognition

The four risk treatment responses

ResponseWhat you doTypical exampleBest when
AvoidStop the risky activity so the risk no longer existsDrop a feature that collects data you do not needThe activity is not worth the risk it creates
Mitigate (reduce)Add controls that lower likelihood or impactEncryption, backups, patching, trainingThe activity must continue but risk is too high (most common)
Transfer (share)Shift the financial impact to another partyBuy cyber insurance or use a third-party serviceThe loss is better borne by an insurer or partner
AcceptKnowingly live with the remaining riskDocument and accept a low-impact riskTreatment would cost more than the potential harm

Decision tree

Is the activity worththe risk it creates?Avoidstop the activityNoYesCan controls reduce itcost-effectively?Mitigate (reduce)add controlsYesNoCan the financial impactbe shifted to another party?Transfer (share)e.g. insuranceYesNoAcceptdocumented decisionAlways: a senior leader accepts residual risk;transfer moves cost, not accountability.

Cheat sheet

  • Risk needs a threat, a vulnerability, and an asset to line up
  • A vulnerability is a weakness, a threat is what acts on it, and risk is the chance of harm
  • Risk is sized by likelihood and impact together
  • Qualitative analysis ranks risk in bands; quantitative analysis puts money on it
  • The risk process loops: identify, assess, treat, monitor
  • You cannot manage a risk you have never identified
  • There are exactly four ways to treat a risk
  • Avoid a risk by stopping the activity that creates it
  • Mitigate by adding controls, the most common response
  • Transfer moves the financial impact, not the accountability
  • Accepting a risk is a deliberate, documented decision
  • Senior leadership accepts residual risk, not the analyst
  • Risk tolerance sets how much risk the organization will accept
  • Risk priorities steer scarce security resources
  • You cannot remove all risk, so manage it down to tolerance
  • Match the scenario verb to the right treatment
  • An asset's criticality comes from its impact on the mission, not its hardware
  • Value an information asset by the impact of losing its confidentiality, integrity, or availability
  • Annual Loss Expectancy is SLE times ARO
  • Continuous monitoring checks that controls stay effective over time
  • Report risk to leadership in business and financial terms

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://csrc.nist.gov/pubs/sp/800/30/r1/final
  2. https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8286A.pdf
  3. https://csrc.nist.gov/pubs/sp/800/37/r2/final