Introduction

Cybersecurity is a structured approach toward risk mitigation of cybersecurity risks. This blog will help you understand risk management from a CISSP exam perspective.

Learning Target

CISSP Objective: 1.10 Understand and apply risk management concepts.

Risk Management Terms

Asset

An asset is any data, personnel, devices, facilities, systems, or another component of an organization's systems that is valuable and enables the organization to achieve business purposes.

Asset Valuation

Asset valuation includes:

• Cost of developing or acquiring

• Value to the business

• Value to adversaries

• Competitive value

• Maintenance cost

• Impact if unavailable (financial and reputational)

• Cost of replacement

• Legal / regulatory liabilities

Why calculate asset value?

• Cost-benefit analysis

• Effective control selection

• Purchase of insurance

• Understand loss

• Comply with legal requirements

Vulnerability

A weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.

Vulnerability severity is based on:

• Ease of discovery

• Ease of exploitation

• Awareness (publicly known)

• Propensity for violence detection

Threat

Anything that can exploit a vulnerability and damage, obtain, or destroy an asset. A threat requires an actor and a vector.

Threat Source

A malicious person or an unintended situation such as natural disasters, technical failure, or human error.

Threat Actors

An independent agent with the capability to harm.

Types of threat actors include:

• Cybercriminals: Hacker groups, script kiddies (greed-driven)

• Nation-State Actors: Advanced, selective, goal-driven

• Hacktivists: Ideology-driven, high visibility, reputation damage

• Internal Actors: Negligent or malicious insiders

• Nature: COVID, floods, political situations

Threat Vector

A threat vector is the path or means through which an attack bypasses defences.

Impact

• Technical Impact: Loss of CIA, loss of accountability

• Business Impact: Financial, reputational, non-compliance, people

Risk

Risk is the potential for loss when a threat exploits a vulnerability.

Risk Calculation:

Risk = Impact × Likelihood

Additional Risk Terms

• Exposure Factor: Percentage of damage if risk occurs once

• Inherent Risk: Risk before controls

• Residual Risk: Risk after controls

Risk Analysis Approach

Qualitative

• Uses scales (e.g., 1–5)

• Results: Critical, High, Medium, Low

Quantitative

• Uses monetary values

• Output expressed in currency

Common Types of Enterprise Risk

• Physical damage

• Human interaction

• Equipment malfunction

• Inside and outside attacks

• Misuse of data

• Loss of data

• Application errors

Risk Management Policy

The Information Security Risk Management (ISRM) policy should align with the organization’s Enterprise Risk Management (ERM) policy.

What Should the Risk Management Policy Include?

• Risk appetite and acceptance levels

• Formal risk identification processes

• Alignment with strategic planning

• Defined roles and responsibilities

• Mapping of risks to controls

• Behaviour and resource allocation strategies

• Risk-to-budget mapping

• Metrics and KPIs

Risk can be managed at strategic, tactical, and operational levels.

Risk Management Process

Risk management is a structured approach to:

• Identify

• Analyse

• Respond

• Monitor

This sequence is highly testable for CISSP.

Step 1: Risk Assessment / Identification

• Define purpose (compliance or gap analysis)

• Define scope (infrastructure, applications, networks, third parties)

• Collaborate with stakeholders

• Use surveys, interviews, workshops, questionnaires, Delphi technique

Step 2: Risk Analysis

Risk = Likelihood × Impact

Qualitative Analysis

• Scale-based ratings (1–5)

Quantitative Analysis

• Asset Value

• Exposure Factor

• SLE = Asset Value × Exposure Factor

• ARO = Frequency per year

• ALE = SLE × ARO

Step 3: Risk Reporting

• Risks mapped to heat maps

• Helps leadership prioritize investments

Step 4: Risk Response

Risk response options:

• Risk Avoidance

• Risk Transfer

• Risk Mitigation

• Risk Acceptance

Step 5: Risk Monitoring

• Continuous evaluation of risks

• Periodic reassessment

• Use of:

  • Balanced Scorecard

  • SLA

  • ROI

Control Selection and Implementation

Control Types

• Administrative: Policies, training

• Physical: Locks, guards, CCTV

• Technical: Firewalls, encryption

Control Functions

• Deterrent

• Preventive

• Detective

• Corrective

• Recovery

• Compensating

Popular Risk Assessment Frameworks

• OCTAVE

• NIST SP 800-30

• FRAP

• FMEA

Control Selection

Cost-Benefit Analysis

• Total Cost of Ownership (TCO)

• Residual Risk reduction

Good decision:
Risk reduction – TCO = positive value

Control Effectiveness

• Verification: Did we implement it right?

• Validation: Did we implement the right control?

Congratulations!

You have completed your daily CISSP target. Reward yourself and enjoy your CISSP journey 😊

For feedback: manoj@cybernous.com

Frequently Asked Questions

1. Can someone with computer science engineering become a security analyst?

Yes. With proper cybersecurity training and hands-on practice, computer science graduates can easily transition into security analyst roles.

2. Does the SOC analyst training at Cybernous prepare you for interviews?

Yes. The training focuses on real-world SOC tools, incident handling, and interview-oriented scenarios.

3. Is it possible to crack this certification on the first attempt?

Yes. With a structured study plan, focused preparation, and practice, first-attempt success is achievable.