CompTIA Security+: Analyzing Risk

CompTIA Security+ logo

Module 2:

Risk analysis is a fundamental aspect of cybersecurity. Understanding and effectively managing risks is crucial for safeguarding sensitive data and maintaining the integrity of systems and networks. In this post, we will explore the concept of risk analysis, its importance, and how it plays a vital role in the CompTIA Security+ certification.

Risk Management

The process of identifying risks, analyzing them, developing a response strategy for them and mitigating their future impact.

  • Helps prevent or lesson the effects of security incidents.
  • Four Phases
  • Assessment
  • Analysis
  • Response
  • Mitigation

Components of Risk Analysis


  • Vulnerabilities that a threat can exploit.
  • The possibility of damage occurring.
  • The extent of the potential damage.


Risk analysis is used to assess the risk damages that may affect an organization.

  • Asset ID
  • Vulnerability ID
  • Threat assessment
  • Probability Quantification
  • Impact analysis
  • Countermeasure Determination.

Categories Of Threat Type

Threat Category Description
Natural Related to weather or other uncontrollable events that are residual occurrences of the activities of nature.
Man-made Residual Occurrences of individual or collective human activity. Intentional or unintentional.
System Related to any weakness or vulnerability found in a network, service, application or device.

Risk Analysis Methods

Method Description
  • Uses descriptions and words to measure the amount and impact of risk such as high medium and low.
  • Usually Scenario based.
  • Can be subjective and hard to test.
  • Based solely on numeric values.
  • Risk data is compared to historic records, experiences, industry best practices, statistical theories and tests.
  • Uses descriptions and numeric values.
  • Attempts to find middle ground between qualitative and quantitative risk analysis.

Risk Calculation

  • SLE: The financial loss expected from a single adverse event.
  • ALE: The total annual cost of risk to an organization.
  • ARO: The number of times per year that a particular loss is expected to occur.

  • ALE = SLE x ARO
  • Risk calculation depends on both costs of losses and costs of mitigation.
  • Vulnerability tables can help document risk calculation factors.

Vulnerability Identification Source Risk of Occurrence 1=Low 5=High Impact Estimate Mitigation
Flood Damage Physical Plant 5 $950,000 Physical Adjustments and Flood Insurance
Electrical Failure Physical Plant 2 $100,000 Generator and UPS
Flu Epidemic Personnel 4 $200,000 Flu Shots

Risk Response Techniques

Response Technique Description
  • Acknowledgment of risk and the consequences that come with it.
  • Acceptance does not mean leaving a system completely vulnerable.
  • Acceptance is recognizing the risk involved is not entirely avoidable or the cost of mitigation or avoidance is prohibitive.
  • Allocate the responsibility of risk to another agency or to a third party such as an insurance company.
  • Remove the risk altogether by eliminating the cause.
  • Actions to protect against possible attacks.
  • Implemented when the impact of a potential risk is substantial.
  • Active defenses (IDS), or cautionary measures (Backup at-risk data).

Risk Mitigation and Control Types

Technical Controls: Hardware or software installations that are implemented to monitor and prevent threats and attacks to computer systems and services.

Management Controls: Procedures that are implemented to monitor the adherence to organizational security policies.

Operational Controls: Security measures that are implemented to safeguard all aspects of day-to-day operations, functions and activities.

Loss/Damage Controls: Security measures that are implemented to prevent key assets from being damaged.

Change Management

A systematic way of approving and executing change to assure maximum security and availability of information technology services.

  • Changes in hardware, software, infrastructure and documentation can have ripple effects on an organizations security.
  • Quantify the costs of training, support, maintenance and implementation.
  • Analyze the benefits and complexities of each change.

Analyze Plan Implement
Need for change Change roles Manage transition phase
Type of change Change duties Confirm adoption of change
Organizational culture Address resistance Conduct post-project review

  • New service pack fixes several security vulnerabilities for a production server.
  • Server hosts a custom app that must remain available.

Change management policy requires form approval for all service packs.

  • The new service pack must be tested on a lab server prior to deployment.
  • Test results could indicate the service pack crashes the custom app.
  • The custom app must be revised and retested before the service pack is deployed to the production server.

Guidelines for Analyzing Risk

  • Clearly define organizational expectations for security.
  • Identify assets requiring protection and determine their values.
  • Look for possible vulnerabilities that could adversely affect the organizations security goals.
  • Determine possible threats to assets.
  • Determine the likelihood of the threats exploiting any vulnerabilities.
  • Determine the threat impact.
  • Identify the optimal risk analysis method.
  • Identify possible countermeasures.
  • Clearly document all findings and decisions.

Scenario: Analyzing Risks to the Organization

  • Evil-Corp has concerns about the security of the server room.
  • The server room holds the employee data server and client data server.
  • The server room is on the first floor at main headquarters
  • The room is next to the main lobby, has no windows, and has a numeric keypad for access.
  • The room contains employee data server and client data server.

Your job is to conduct a full risk assessment of the server rooms physical security.

Business Impact Assessment (BIA)

A systematic activity that identifies organizational risks and determines their impact on ongoing, business-critical operations and processes.

  • Do vulnerability assessments and evaluations.
  • Determine risks and consequences.
  • Cover every aspect of the business.
  • Can be part of a Business continuity plan(BCP).

  • Estimation of tolerable downtime.
  • Effect of financial loss.
  • Resources needed to restore.
  • Probability of reduced efficiency.
  • Prioritization of critical processes.

Impact scenarios

Impact Description
Life Natural disasters and intentional man-made attacks.
Severe weather events Seismic events Arson and other fires Terrorist attacks
Property Natural disasters and intentional man-made attacks.
Severe weather events
Seismic events
Arson and other fires
Terrorist attacks
Equipment damage
Safety Natural disasters and intentional man-made attacks, and unintentional man-made risks.
Severe weather events
Seismic events
Terrorist Attacks
Excessive employee illnesses or epidemics
Finance Natural disasters and intentional man-made attacks, and unintentional man-made risks, and system risks.
Severe weather events
Seismic events
Arson and other fires
Terrorist attacks
Break-ins Theft
Equipment Damage
File Destruction
Information disclosure (intentional or inadvertent)
User error
Social networking and cloud computing
Excessive employee illnesses or epidemics
Unsecure mobile and networking devices
Unstable virtualization environments
Email and account-management vulnerabilities.
Reputation Man-made risks and system risks
Response time for restoration of disrupted.
Services or damaged files
Frequent information disclosure
Perception of recurring problems
Perception of susceptibility
Organizational response to risks: Price gouging during natural disasters
Response time for addressing information disclosure.

Privacy Assessments

  • Privacy Impact Assessment (PIA) A tool for identifying and analyzing risks to privacy during the life cycle of a program.
  • Privacy Threshold Assessment (PTA) A document used to determine when a PIA is required.
  • Personally Identifiable Information (PII) Information that a company uses to identify or contact employees and other individuals.

  • Required for any US agency that collects PII online.
  • Other regulations might require them for different organizations.

Critical Systems and Functions

  • Mission-essential
  • Quantitative Comparison
  • MTD: Maximum Tolerable Downtime
  • MTTF: Mean time to failure
  • MTTR: Mean time to repair/replace
  • MTBF: Mean time between failures
  • RTO: Recovery time objective
  • RPO: Recovery point objective

Maximum Tolerable Downtime

The longest time period that a business outage can occur without causing irrecoverable business failure.

  • An MTD for each business process
  • Can range from minutes to hours to delays
  • Vary by company and event

Recovery Point Objective

The longest period of time that an organization can tolerate lost data being unrecoverable.

  • Usually Expressed in hours
  • Helps to determine backup frequency

Recovery Time Objective

The length of time it takes after an event to resume normal business operations and activities.

  • RPO plus time spent preparing to resume processing.
  • Must be achieved before MTD

Mean Time to Failure

The average time that a device or component is expected to be in operation.

  • Measure of reliability for non-repairable devices and components
  • Total hours of operation/number of failures

Mean Time to Repair

The average time it takes for a device or component to recover from failure.

  • Less than RPO when the component is relevant to the recovery effort.
  • Also referred to as mean time to recover (or replace).

Mean Time Between Failures

The rating on a device or component that predicts the expected time between failures.

  • Measure of reliability
  • Can indicate a need for redundancy measures.

Guidelines for Performing a Business Impact Analysis (BIA)

  • Identify Mission-essential functions and critical systems.
  • Identify impact scenarios.
  • Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF.
  • Conduct a privacy threshold assessment and privacy impact assessments when required.
  • Identify single points of failure.

Risk analysis is an essential component of a robust cybersecurity strategy. By understanding and effectively managing risks, you can make informed decisions to protect your organization’s assets. Whether you’re studying for the CompTIA Security+ certification or enhancing your cybersecurity knowledge, this post provides a comprehensive overview of risk analysis.

You can find all of our CompTIA Sec+ guides here: CompTIA Sec+

We also have guides for the CompTIA A+ here: CompTIA A+


Basic Security Testing with Kali Linux:

Luke Barber

Hello, fellow tech enthusiasts! I'm Luke, a passionate learner and explorer in the vast realms of technology. Welcome to my digital space where I share the insights and adventures gained from my journey into the fascinating worlds of Arduino, Python, Linux, Ethical Hacking, and beyond. Armed with qualifications including CompTIA A+, Sec+, Cisco CCNA, Unix/Linux and Bash Shell Scripting, JavaScript Application Programming, Python Programming and Ethical Hacking, I thrive in the ever-evolving landscape of coding, computers, and networks. As a tech enthusiast, I'm on a mission to simplify the complexities of technology through my blogs, offering a glimpse into the marvels of Arduino, Python, Linux, and Ethical Hacking techniques. Whether you're a fellow coder or a curious mind, I invite you to join me on this journey of continuous learning and discovery.

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights