One of the main reasons that organizations implement security controls is to lessen the

chances of information being altered, lost, or stolen. Identifying what constitutes a threat
and how likely it is for that threat to occur is what risk analysis is all about. In this lesson,
you will analyze risk.
Analyzing risk plays a major role in ensuring a secure environment for an organization. By
assessing and identifying specific risks that can cause damage to network components,
hardware, and personnel, you can mitigate possible threats and establish the right corrective
measures to avoid possible damage to people or systems.

In this lesson, you will:

• Assess risk to the organization.
• Analyze the business impact of risk.
 | CompTIA® Security+® (Exam SY0-501)

Part of a well-planned security infrastructure involves knowing what assets need protection, and at
what level. This process involves identifying what could go wrong. In this topic, you will assess risk
to the organization.
How do you know what to protect your organization against? What constitutes a risk? You need to
find out what exactly will help you determine what a risk is on your system or network. If you can
foresee and analyze some of those risks, then you can avoid some major issues that can come up
later. Risk analysis helps you achieve this objective.

Risk Management In the information management world, risks come in many different forms. If a risk is not managed
There are many different correctly, it could result in disclosure, modification, loss, destruction, or interruption of a critical
approaches to risk asset. Risk management is a cyclical process that includes four phases:
management; this
• Identify and assess risks that exist in a system.
course presents a high-
level, consistent • Analyze the potential impact risks will have on a system.
approach to facilitate • Formulate a strategy on how to respond to risks.
student comprehension. • Mitigate the impact of risks for future security.
You might ask learners if
they are aware of any
other risk management
processes.
Emphasize the
relationship between
vulnerabilities, threats,
and risks.

Note: Remember, vulnerabilities are weaknesses or gaps in a security strategy; threats are those
entities that can exploit a vulnerability; and risk is the potential for loss, damage, or destruction if
a threat does exploit a vulnerability.

Lesson 2: Analyzing Risk | Topic A

 CompTIA® Security+® (Exam SY0-501) |

Risk is the likelihood that a threat can exploit a vulnerability to cause some type of damage. Components of Risk
Therefore, when you perform an analysis to determine if a risk exists, you need to not only identify Analysis
potential threats, but also determine if there are vulnerabilities in your systems that those threats As you talk about risk
could exploit. Once you are sure that a risk exists, you can determine the severity of the risk based analysis components,
on how much damage the risk could cause and how likely it is to occur. emphasize that it is
difficult to calculate risk
without knowing what
vulnerabilities exist.
Some examples of vulnerability-assessed threats may include the following: Provide examples of
• If a business is located next to railroad tracks and a train derails, leaking toxic fluids, the business how to discover
vulnerabilities, such as
might be forced into inactivity for days or weeks while cleanup occurs. performing vulnerability
• If key manufacturing staff express their plans to strike, they may threaten to damage equipment assessments and
beforehand to heighten the impact of their impending actions. consulting websites such
• A key supplier may be unable to provide raw materials for the production of an organization's as .
principal products.

When determining how to protect computer networks, computer installations, and information, risk Phases of Risk Analysis
analysis is the security process used for assessing risk damages that can affect an organization.
There are six phases in the risk analysis process, described in the following table.

1. Asset identification Identifying the assets that require protection and determining the value of
the assets.
2. Vulnerability Identifying vulnerabilities so the analyst can confirm where asset
identification protection problems exist. Locating weaknesses exposes the critical areas
that are most susceptible to vulnerabilities. Vulnerability scanning is a
method used to determine weaknesses in systems. This method can,
however, produce false positives, which tend to initiate reasons for
concern, even when there are no actual issues or weaknesses in the
system.
3. Threat assessment Once vulnerabilities are understood, the threats that may take advantage
of or exploit those vulnerabilities are determined.
4. Probability Quantifying the likelihood or probability that threats will exploit
quantification vulnerabilities.
5. Impact analysis Once the probabilities are determined, the impact of these potential
threats needs to be evaluated. This can include either the impact of
recovering from the damage, or the impact of implementing possible
preventive measures.
Note: Impact analysis is covered in depth in the next topic.

6. Countermeasures Determining and developing countermeasures to eliminate or reduce

determination risks. The countermeasures must be economically sound and provide the
expected level of protection. In other words, the countermeasures must
not cost more than the expected loss caused by threats that exploit
vulnerabilities.

Lesson 2: Analyzing Risk | Topic A

 | CompTIA® Security+® (Exam SY0-501)

Categories of Threat Security threats are often categorized as natural, man-made, or system, depending on their source.
Types Knowing the source can be helpful as you perform risk analysis and response. The following table
Ask students these lists examples of each.
questions: What types of
threats are students
most concerned about in
their organizations? How Natural Natural threats are related to weather or other uncontrollable events that
do factors like are residual occurrences of the activities of nature. Different types of
geographic location and natural disasters include:
the sensitivity of their
data affect each • Earthquakes
student's priorities? • Wildfires
• Flooding
• Blizzards
• Tsunamis
• Hurricanes
• Tornadoes
• Landslides
Man-made Man-made threats are residual occurrences of individual or collective
human activity. Man-made events can be caused intentionally or
unintentionally.
Intentional man-made threats include:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
• Information disclosure
Unintentional man-made threats include:
• User computing mistakes
• Social networking and cloud computing
• Excessive employee illnesses or epidemics
• Information disclosure
System System threats are related to any weakness or vulnerability found within a
network, service, application, or device.
System threats include:
• Unsecured mobile devices
• Unstable virtualization environments
• Unsecured network devices
• Email vulnerabilities, such as viruses and spam
• Account management vulnerabilities, such as unassigned privileges

Note: Threats are covered in greater depth in the next lesson. They are discussed here in the
context of risk management.

Lesson 2: Analyzing Risk | Topic A

 CompTIA® Security+® (Exam SY0-501) |

The following table describes some methods you can use to analyze risk. Risk Analysis Methods

Qualitative Qualitative analysis methods use descriptions and words to measure the
amount and impact of risk. For example, ratings can be high, medium, or
low based on the criteria used to analyze the impact. Qualitative analysis
is generally scenario based. A weakness of qualitative risk analysis lies
with its sometimes subjective and untestable methodology.
Quantitative Quantitative analysis is based completely on numeric values. Data is
analyzed using historic records, experiences, industry best practices and
records, statistical theories, testing, and experiments. This methodology
may be weak in situations where risk is not easily quantifiable.
Semi-quantitative The semi-quantitative analysis method uses a description that is
associated with a numeric value. It is neither fully qualitative nor
quantitative. This methodology attempts to find a middle ground between
the previous two risk analysis types.

Risk calculation focuses on financial and operational loss impact and locates threat exploitation Risk Calculation
indicators in an organization. Risk calculation can be viewed as a formula that takes into account the
worth of each asset, the potential impact of each risk, and the likelihood of each threat, and then
weighs that against the potential costs of alleviating system vulnerabilities. Organizations may use
this process to determine the single loss expectancy (SLE) or the annual loss expectancy
(ALE) for each risk identified. The SLE value represents the financial loss that is expected from a
specific adverse event. The ALE value is calculated by multiplying an SLE by its annual rate of
occurrence (ARO) to determine the total cost of a risk to an organization on an annual basis.
ALE = SLE * ARO

A company might calculate that a certain system in its demilitarized zone (DMZ) has almost a 90
percent probability of experiencing a port scan attack on a daily basis. However, although the threat
level is high, the company does not consider the system to be at much risk of damage from the
threat of a scan. The cost of hardening the system to completely prevent the scan far outweighs the
potential losses due to the identified risk.
On the other hand, a company might determine that its server room is at a high risk of complete
loss due to a natural disaster and that the cost of such a loss would be catastrophic for the
organization. Although the likelihood of the disaster threat is quite low, the overall impact is so great
that the company maintains an expensive alternate site that it can switch operations to in the event
of such an emergency.

A simple vulnerability table is often a strategic tool for completing a vulnerability assessment. The
following table lists details associated with various vulnerabilities.

Lesson 2: Analyzing Risk | Topic A

 | CompTIA® Security+® (Exam SY0-501)
Note that all numbers
are fictitious, and are for
example purposes only.
The Spotlight on
presentation is available
from the Spotlight tile on
the CHOICE Course
screen. You may choose
to include it in your
instructional plans, or
you can remind students
about the tile and the
supplemental
information it contains.
Risk Response
Techniques
Ask students for their
own examples of putting
a strategy into practice
based on their
experiences.
Lesson 2: Analyzing Risk | Topic A
Flood damage Physical plant 5 $950,000 Physical
adjustments and
flood insurance
Electrical failure Physical plant 2 $100,000 Generator,
Uninterruptible
Power Supply
(UPS)
Flu epidemic Personnel 4 $200,000 Flu shots
Using a table allows planners to identify the likelihood of threats or vulnerabilities, record the
possible impact, and then prioritize mitigation efforts. Mitigation helps reduce the impact of an
exploited vulnerability. A loss of power has a relatively high risk with a reasonable mitigation effort,
consisting of a one-time expenditure to purchase a backup generator.
If there were two additional columns in the table, the assessment would be more useful, as in the
following example.
Electrical failure $500 for generator $0
By adding these extra columns, business continuity planners would be able to evaluate the
vulnerabilities, propose mitigation, and evaluate the vulnerabilities by the residual risks after
mitigation.
The record of risk information in tables like these is also referred to as a risk register. Aside from
appearing as tables, risk registers are also commonly depicted as scatterplot graphs, where impact
and likelihood are each an axis, and the plot point is associated with a legend that includes more
information about the nature of the plotted risk.
Note: For more information, check out the Spotlight on Calculating Risk presentation from
the Spotlight tile on the CHOICE Course screen.
Once a risk is identified, you can define a response strategy to determine the appropriate action to
take. Multiple strategies may even be combined into a single response. Four common response
techniques are described in the following table.
Accept This is the acknowledgement and acceptance of the risk and
consequences that come with it, if that risk were to materialize.
Acceptance does not mean leaving a system completely vulnerable, but
recognizing that the risk involved is not entirely avoidable, or if the cost
of mitigation or avoidance is prohibitive.
Transfer This is used to allocate the responsibility of risk to another agency, or to a
third party, such as an insurance company.
 CompTIA® Security+® (Exam SY0-501) |

Avoid This is used to eliminate the risk altogether by eliminating the cause. This
may be as simple as putting an end to the operation or entity that is at
risk, like shutting down a server that is a frequent target of attack.
Mitigate These techniques protect against possible attacks and are implemented
when the impact of a potential risk is substantial. Mitigation may come in
the form of active defenses like intrusion detection systems (IDSs), or
cautionary measures like backing up at-risk data.

Note: Even after mitigation, most situations retain residual risk. Few countermeasures can
reduce risk to zero.

Risk can be mitigated by implementing the appropriate security controls. The following table Risk Mitigation and
describes the major control types. Control Types

Technical controls Hardware or software installations that are implemented to monitor and
prevent threats and attacks to computer systems and services. For
example, installing and configuring a network firewall is a type of
technical control.
Management Procedures implemented to monitor the adherence to organizational
controls security policies. These controls are specifically designed to control the
operational efficiencies of a particular area and to monitor security policy
compliance. For example, annual or regularly scheduled security scans
and audits can check for compliance with security policies.
Operational controls Security measures implemented to safeguard all aspects of day-to-day
operations, functions, and activities. For example, door locks and guards
at entrances are controls used to permit only authorized personnel into a
building.
Loss controls Also called damage controls, these are security measures implemented
to protect key assets from being damaged. This includes reducing the
chances of a loss occurring, and reducing the severity of a loss when one
occurs. For example, fire extinguishers and sprinkler systems can reduce
property damage in the event of a fire.

Change management is a systematic way of approving and executing change in order to assure Change Management (2
maximum security, stability, and availability of information technology services. When an Slides)
organization changes its hardware, software, infrastructure, or documentation, it risks the
introduction of unanticipated consequences. Therefore, it is important for an organization to be able
to properly assess risk; to quantify the cost of training, support, maintenance, or implementation;
and to properly weigh benefits against the complexity of a proposed change. By maintaining a
documented change management procedure, an organization can protect itself from the potential
adverse effects of hasty change.
For example, Jane has identified a new service pack that has been released that fixes numerous
security vulnerabilities for the operating system on a server. The server that needs this service pack
is running a custom in-house application, and significant downtime is not acceptable. The company
policy states that a change management form must be approved for all service packs. The form

Lesson 2: Analyzing Risk | Topic A

 | CompTIA® Security+® (Exam SY0-501)

comes back from the approval process with a qualification that the service pack must be tested on a
lab system prior to deployment on the production server. Jane applies the service pack in a lab and
discovers that it causes the custom in-house application to fail. The application must be sent back to
the software developers for revisions and retesting before the service pack can be applied in
production.

Note: All of the Guidelines for this lesson are available as checklists from the Checklist tile on
the CHOICE Course screen.

Guidelines for Analyzing Consider these guidelines when you analyze risk:
Risk • Clearly define the organization's expectations with regard to security.
• Identify those assets that require protection, and determine their values.
• Look for possible vulnerabilities that, if exploited, could adversely affect the organization.
• Determine potential threats to organizational assets.
• Determine the probability or likelihood of a threat exploiting a vulnerability.
• Determine the impact of the potential threat, whether it be recovery from a failed system or the
implementation of security controls that will reduce or eliminate risk.
• Identify the risk analysis method that is most appropriate for your organization. For quantitative
and semi-quantitative risk analysis, calculate SLE and ARO for each threat, and then calculate the
ALE.
• Identify potential countermeasures, ensuring that they are cost-effective and perform as
expected.
• Clearly document all findings discovered and decisions made during the analysis.

Lesson 2: Analyzing Risk | Topic A

 CompTIA® Security+® (Exam SY0-501) |

Lately at Develetech, there have been concerns regarding the security of the server room located on
the first floor within the main headquarters building. The high-business-value assets identified in this
room are the human resources servers with sensitive employee identification data and the client
financial data server. The room is situated next to the main lobby, contains no windows, and is
access-controlled with a numeric keypad. Now that you've identified the assets that need protecting,
you have been asked to conduct a full risk analysis of the server room's physical security.
Activity: Analyzing Risks
to the Organization
The steps in this activity
follow the phases of risk
analysis identified earlier
Answers will vary, but the obvious vulnerability is the room's close proximity to the main lobby. in the topic.
Other vulnerabilities you might notice are the type of walls installed around the room. You can This scenario, which
verify that they extend from floor to ceiling and that they do not contain large vents that could be focuses on physical
used as access points. You might check to see if there are other doors to the room and if they are security and access
secured. management, is just one
of many possible
examples to use when
illustrating risk analysis.
If you prefer, consider
While there may be many specific threats, the main concern here is that visitors coming and going developing a scenario
could easily view the type of physical access control used to get into the computer room. Another that focuses on a
potential threat is that visitors could be in a position to see the access code being entered and different area of security,
could use it to gain access themselves. and having students
follow the phases of risk
analysis for that
particular scenario.
There are several factors to consider: how much guest traffic the lobby receives on any given day;
Physical security and
how many authorized employees tend to use the lobby; how conspicuous the server room itself
access management are
looks; how easy it is to see the numeric keypad from afar; whether or not employees are discrete
discussed in more depth
about revealing what's on the servers; how sought-after the data on the servers is by rival
in later lessons
companies; and so on.

The impact would be large in this case due to what is stored inside the server room. Unauthorized
users could gain access to the sensitive data stored in the servers and use this against the
organization and therefore damage the organization's credibility. In a monetary sense, the
company could lose revenue if customer data is analyzed by a competitor to glean certain trade
secrets.

Answers will vary, but may include implementing better security controls, such as including a
server room security guard. Another possibility would be to simply relocate the servers to a more
secure and remote area of the building.

Lesson 2: Analyzing Risk | Topic A