Key Takeaways
- Risk = Likelihood × Impact
- Frameworks provide structure
- Risk registers track findings
- Accept, mitigate, transfer, avoid
Contents
1. Risk Management Fundamentals
Risk management is the process of identifying, assessing, and controlling threats to an organization. It enables informed decision-making about security investments and priorities.
Risk Formula
Risk = Likelihood × Impact
Where likelihood is probability of occurrence and impact is business harm if it occurs.
2. Risk Assessment Process
- Identify assets: What needs protection?
- Identify threats: What could harm assets?
- Identify vulnerabilities: Weaknesses that enable threats
- Assess likelihood: How probable is exploitation?
- Assess impact: What's the business harm?
- Calculate risk: Prioritize findings
- Recommend treatment: How to address risks
3. Risk Management Frameworks
- NIST RMF: US government standard, 7-step process
- ISO 27005: Risk management for ISO 27001
- FAIR: Factor Analysis of Information Risk
- OCTAVE: Operationally Critical Threat, Asset, Vulnerability
- COSO ERM: Enterprise risk management
4. Quantitative Risk Analysis
# FAIR methodology components:
# Loss Event Frequency (LEF)
# - Threat Event Frequency (TEF)
# - Vulnerability (probability of success)
# Loss Magnitude (LM)
# - Primary loss (direct impact)
# - Secondary loss (response, reputation)
# Example calculation:
ALE = SLE × ARO
# Annual Loss Expectancy = Single Loss × Frequency
# SLE = $500,000 (data breach cost)
# ARO = 0.2 (20% chance per year)
# ALE = $100,0005. Risk Registers
| Field | Description |
|---|---|
| Risk ID | Unique identifier |
| Description | What could happen |
| Likelihood | 1-5 or probability |
| Impact | 1-5 or dollar value |
| Risk Score | Likelihood × Impact |
| Owner | Accountable person |
| Treatment | Accept/Mitigate/Transfer/Avoid |
| Status | Open/In Progress/Closed |
6. Risk Treatment Options
- Accept: Risk within tolerance, document decision
- Mitigate: Implement controls to reduce risk
- Transfer: Shift risk to third party (insurance, contracts)
- Avoid: Eliminate risk by removing activity
7. Reporting to Leadership
- ✅ Use business language, not technical jargon
- ✅ Quantify risks in dollars where possible
- ✅ Show trends over time
- ✅ Provide clear recommendations
- ✅ Risk heat maps for visualization
8. Building a Risk Program
- Define risk appetite with leadership
- Select framework and methodology
- Inventory assets and create risk register
- Conduct regular assessments
- Track and report on risks
- Integrate with security operations
FAQ
Qualitative vs quantitative risk?
Start with qualitative (High/Medium/Low) for speed. Move to quantitative (dollar values, FAIR) for better decision support and executive communication. Most organizations use both.