Anything of value to the organization, such as data, systems, processes, people, or reputation.

Anything that can cause harm to an asset, such as attackers, insiders, accidents, or natural disasters.

A weakness that could be exploited by a threat to cause harm to an asset.

The consequence or damage that occurs if a risk materializes, such as financial loss, downtime, legal penalties, or reputational harm.

Anything of value to the organization, including data, systems, processes, people, or reputation.

The consequence or damage that occurs if a risk materializes, such as financial loss, downtime, legal penalties, or reputational harm.

Risk Management: Identifying, Analyzing, and Treating Risk — CompTIA Security+ (SY0-701) Mastery: Domain-Weighted Exam Prep

Q: A company runs a legacy OT system that is critical for production. The system cannot be patched, and management decides to isolate it on a separate network segment with strict firewall rules. Which TWO concepts are MOST closely illustrated?

Risk mitigation and technical preventive controls. Segmenting the network and applying strict firewall rules are technical preventive controls that reduce the likelihood of compromise, which is risk mitigation. The company is not avoiding the activity (they still use the OT system), and no transfer or detective/physical focus is described.

Big Picture: What Risk Management Is (and Is Not)

What Is Risk?

Risk is the possibility that a threat will exploit a vulnerability and negatively impact an asset. It is about something bad that might happen to something we care about.

Key Building Blocks

Core terms: asset (value), threat (source of harm), vulnerability (weakness), impact (how bad), likelihood (how probable). Risk combines all of these.

Risk Management vs. Others

Risk management is strategic decision-making about risks. Vulnerability management focuses on finding and fixing weaknesses. Incident response handles events that already happened.

Timeline View

Before incidents: risk and vulnerability management guide preparation. During/after incidents: incident response executes your preplanned steps to contain and recover.

Why It Matters for Security+

Thinking like a risk manager helps you answer scenario questions about what to do next, especially in Security Operations and Security Program Management and Oversight.

Core Pieces: Assets, Threats, Vulnerabilities, and Impact

Assets

An asset is anything of value: data, systems, people, processes, or reputation. In hybrid environments, assets live in cloud, on‑prem, mobile, IoT, and OT.

Threats

A threat is anything that can cause harm: attackers, insiders, disasters, supply chain issues. It is a potential source of damage, not the damage itself.

Vulnerabilities

A vulnerability is a weakness that can be exploited, such as unpatched software, weak passwords, or poor network segmentation.

Impact

Impact is what happens if the risk becomes real: financial loss, downtime, legal trouble, or reputational harm.

Putting It Together

Threat + Vulnerability + Asset → Potential Impact = Risk. Keep each term distinct; exam questions often mix them up as distractors.

Mini Case Study: Building a Simple Risk Statement

Step 1: Asset

Asset: the e‑commerce payment application and the cardholder data it processes. This is critical to revenue and compliance.

Step 2: Threat

Threat: external attackers using SQL injection against the public web application to steal payment data.

Step 3: Vulnerability

Vulnerability: outdated input validation and no web application firewall (WAF) protecting the payment application.

Step 4: Impact

Impact: stolen card data, PCI DSS penalties, incident costs, and loss of customer trust leading to financial damage.

Step 5: Risk Statement

Risk: an attacker could exploit weak input validation to steal cardholder data, causing financial, regulatory, and reputational harm.

Qualitative vs. Quantitative Risk Analysis

Qualitative Analysis

Qualitative risk analysis uses descriptive scales like Low/Medium/High for likelihood and impact, often plotted in a risk matrix.

Qualitative Example

If a web app breach is likely and severe, you might rate likelihood High, impact High, and overall risk High without using dollar amounts.

Quantitative Analysis

Quantitative analysis uses numbers: Asset Value, Single Loss Expectancy, Annual Rate of Occurrence, and Annual Loss Expectancy.

Quantitative Example

If a breach costs $1M once and you expect it once every 10 years, ALE = $1,000,000 × 0.1 = $100,000 per year.

Exam Angle

Know that qualitative = scales; quantitative = numeric, often in money, and supports cost-benefit comparisons for treatments.

Risk Scoring and the Risk Matrix

Risk Score Formula

A simple approach: Risk score = Likelihood × Impact, with Low/Med/High mapped to numbers like 1, 2, 3.

Scoring Examples

Low (1) × High (3) = 3, while High (3) × High (3) = 9. The higher the score, the higher the treatment priority.

Risk Matrix Picture

Visualize a 3x3 grid: Likelihood on the x-axis, Impact on the y-axis. Top-right (High/High) is red and critical; bottom-left is green and low.

Using the Matrix

Use the matrix to see which risks are most serious and should be addressed first, especially in exam scenarios.

Inherent vs Residual Risk

Inherent risk exists before controls. Residual risk is what remains after controls; management must knowingly accept this.

Four Main Risk Treatment Options

Four Treatment Options

The core options: accept, mitigate, transfer, and avoid. Every risk decision falls into one of these.

Risk Acceptance

Acceptance: management agrees to live with the risk, usually because it is low or controls would cost too much.

Risk Mitigation

Mitigation: you add controls to reduce likelihood or impact, such as patching, MFA, segmentation, or WAFs.

Risk Transfer

Transfer: you share financial or operational impact with another party via cyber insurance, cloud SLAs, or outsourcing.

Risk Avoidance

Avoidance: you stop or never start the risky activity, like not storing card data or disabling a dangerous feature.

Choosing Treatments: Cloud, Mobile, IoT, and OT Scenarios

Cloud Storage Risk

Public cloud bucket with PII is at risk. Making it private and enforcing IAM is mitigation; not storing PII there is avoidance.

Cloud Transfer and Acceptance

Using a provider with strong SLAs and insurance is transfer. If low sensitivity and low likelihood, management might accept residual risk.

Mobile BYOD Example

Lost phones accessing company email: MDM and remote wipe mitigate; banning BYOD avoids that specific risk.

OT Production Line

Flat network between corporate and OT: segmentation and firewalls mitigate; using an MSSP transfers some operational risk.

Business Alignment

On exams, pick the option that balances security with business needs, not just the most extreme security measure.

Linking Risk to Control Selection

Control Types List

You must know all 10: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.

From Risk to Controls

First find top risks, then pick a treatment. If mitigating, choose controls that reduce likelihood or impact of that specific risk.

SQL Injection Controls

Mitigate SQL injection with technical preventive controls (validation, WAF), detective controls (logging), and managerial controls (policies, training).

Prioritizing Controls

Focus on high-impact, high-likelihood risks and controls that reduce several risks at once, like MFA or segmentation.

Exam Strategy

When options are given, choose the control that best addresses the stated threat and vulnerability and fits the right control type.

Thought Exercise: Write and Treat a Risk

Apply what you have learned to a short scenario. There are no single “right” answers here; the goal is to practice the thinking process.

Scenario

Your university runs a learning management system (LMS) hosted by a third-party SaaS provider. Students and staff log in with their university accounts.

Recently, phishing emails have been sent to students, asking them to log in to a fake LMS page. Some students have entered their credentials.

Task 1: Identify the elements

In your own notes (mentally or on paper), identify:

Asset
Threat
Vulnerability
Likelihood (Low/Medium/High, and why)
Impact (Low/Medium/High, and why)

Task 2: Write a risk statement

Use this pattern:

"There is a risk that [threat] could exploit [vulnerability] affecting [asset], resulting in [impact]."

Example starter:

"There is a risk that attackers sending phishing emails could exploit ..."

Task 3: Choose a treatment

Decide which primary treatment you would recommend:

Acceptance, Mitigation, Transfer, or Avoidance.

Then list two specific controls that match your choice. For example:

If you choose mitigation, think of technical and managerial controls (e.g., MFA, security awareness training, email filtering).

Self-check prompts

Ask yourself:

Did I clearly separate threat vs. vulnerability?
Do my chosen controls actually reduce likelihood or impact?
Would my treatment make sense to a university admin balancing security and usability?

You will see similar thinking tasks on the mock exams and in your spaced review queue.

Quiz 1: Concepts and Definitions

Test your understanding of core risk management concepts.

Which option BEST describes the difference between risk management and vulnerability management?

Risk management focuses on responding to incidents, while vulnerability management focuses on avoiding them.
Risk management is about identifying, analyzing, and deciding how to treat risks, while vulnerability management focuses on finding and fixing specific weaknesses.
Risk management is purely technical, while vulnerability management is purely managerial.
Risk management replaces the need for vulnerability management if done correctly.

Show Answer

Answer: B) Risk management is about identifying, analyzing, and deciding how to treat risks, while vulnerability management focuses on finding and fixing specific weaknesses.

Risk management is the strategic process of identifying, analyzing, and treating risks to align with business goals. Vulnerability management is a technical process focused on discovering and remediating specific weaknesses. Incident response handles events that have already occurred.

Quiz 2: Risk Treatment and Scoring

Apply your knowledge to a short scenario.

A company runs a legacy OT system that is critical for production. The system cannot be patched, and management decides to isolate it on a separate network segment with strict firewall rules. Which TWO concepts are MOST closely illustrated?

Risk acceptance and detective controls
Risk transfer and corrective controls
Risk mitigation and technical preventive controls
Risk avoidance and physical controls