Risk management concepts and the CISSP

The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as ISC2. This certification is the most requested cybersecurity certification in U.S. job listings, according to CyberSeek. 

For information security managers holding this certification, the average salary of CISSP holders reaches $175,583, though this can vary based on role, location and experience. (Download our free Cybersecurity salary guide for more data.) 

Risk management is one of the domains of CISSP, which entails identifying an organization's information assets and developing, documenting, implementing and updating policies, standards, procedures and guidelines that ensure confidentiality, integrity and availability. As of April 2024, the CISSP exam has been updated with a refreshed exam outline. 

Management tools such as risk assessment and risk analysis are used to identify threats, classify assets and rate their vulnerabilities to implement effective security measures and controls. Risk management is carried out to identify potential risks, tools, practices and rates and reduce the risk to specific resources of an organization. 

For more CISSP exam tips, get our free CISSP exam tips and tricks ebook, or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Risk management concepts 

Beyond basic security fundamentals, risk management concepts are perhaps the most important and complex part of the information security and risk management domain. The candidate must understand all the core risk management concepts, like risk assessment methodologies, risk calculations and safeguard selection criteria and objectives. 

A risk comprises a threat and a vulnerability of an asset, defined as follows: 

• Threat: Any natural or man-made circumstance that could harm an organizational asset. 
• Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur or likely to occur more frequently. 
• Asset: An asset is a resource, process, product or system that has some value to an organization and must be protected. 

The threat, vulnerability and assets are known as the risk management triples. It is the main concept that is covered in risk management from the CISSP exam perspective. Risk can never be completely eliminated. No matter how secure, any system or environment can eventually be compromised. 

Threat x vulnerability = risk 

Some threats or events, such as natural disasters, are largely unpredictable. Therefore, the main goal of risk management is risk mitigation, which involves reducing risk to an organization's acceptable level. There are three main elements of which risk management is comprised of: 

• Identification 
• Analysis 
• Control 

With these core concepts established, we can now examine how to identify risks in practice. 

Risk identification 

Risk identification is the initial step in risk management that involves identifying specific elements of the three components of risk: assets, threats and vulnerabilities. 

Asset valuation 

Identifying an organization's assets and determining their value is critical to deciding the appropriate level of security. The value of an asset to an organization can be quantitative (related to its cost) and qualitative (its relative importance). 

Any inaccurate asset valuation may result in: 

• Poorly chosen or improperly implemented controls 
• Controls that aren't cost-effective 
• Controls protect the wrong asset 

A properly conducted asset valuation process has several benefits for an organization: 

• Supports quantitative and qualitative risk assessments, business impact assessments and security auditing 
• Facilitates cost-benefit analysis and supports management decisions regarding the selection of appropriate safeguards 
• Can be used to determine insurance requirements, budgeting and replacement costs 
• Help demonstrate due care and limit personal liability 

Three main elements are used to determine the value of assets: 

• Initial and maintenance costs: This is most often a tangible dollar value and may include purchasing, licensing, development, maintenance and support costs 
• Organizational value: This is often a difficult and intangible value; it may include the cost of creating, acquiring, re-creating information and the business impact or loss if the information is lost or compromised 
• Public value: Includes the loss of proprietary information or processes and loss of business reputation 

Asset value considerations 

In the process of identifying assets and their value, we consider the value placed on assets (including information), what work was required to develop them, how much it costs to maintain, what damage would result if it were lost or destroyed, and what benefit another party would gain if it were to obtain it. 

Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. 

The following issues should be considered when assigning values to assets: 

• Cost to acquire or develop the asset 
• Cost to maintain and protect the asset 
• Value of the asset to owners and users 
• Value of the asset to adversaries 
• Value of intellectual property that went into developing the information 
• Price others are willing to pay for the asset 
• Cost to replace the asset if lost 
• Operational and production activities affected if the asset is unavailable 
• Liability issues if the asset is compromised 
• Usefulness and role of the asset in the organization 

Identifying vulnerabilities and threats 

Once the assets have been identified and assigned values, all of the vulnerabilities and associated threats that could affect each asset's integrity, availability or confidentiality requirements need to be identified. 

Since many vulnerabilities and threats can affect different assets, it is important to properly categorize and prioritize them so that the most critical items can be taken care of first. 

Impact analysis and cost-benefit assessment 

The team carrying out the risk assessment needs to figure out the business impact of the identified threats. To estimate potential losses posed by threats, answer the following questions: 

What physical damage could the threat cause, and how much would that cost? 

How much productivity loss could the threat cause, and how much would that cost? 

• What is the value lost if confidential information is disclosed? 
• What is the cost of recovering from a virus attack? 
• What is the cost of recovering from a hacker attack? 
• What is the value lost if critical devices were to fail? 
• What is the SLE for each asset and each threat? 

These are some general questions, while the specific questions will depend upon the types of threats the team uncovers. The team then needs to calculate the probability and frequency of the identified vulnerabilities being exploited. 

The team then needs to identify countermeasures and solutions to reduce the potential damages from the identified threats. A security countermeasure must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis. 

A commonly used cost/benefit calculation can be given as the value of safeguard to the company = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard). 

For example, suppose the ALE of the threat of a hacker bringing down a web server is $12,000 before implementing the suggested safeguard, $3,000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650. In that case, the value of this safeguard to the company is $8,350 each year. 

The following items need to be considered and evaluated when deriving the full cost of a countermeasure: 

• Product costs 
• Design/planning costs 
• Implementation costs 
• Environment modifications 
• Compatibility with other countermeasures 
• Maintenance requirements 
• Testing requirements 
• Repair, replacement or update costs 
• Operating and support costs 
• Effects on productivity 

The team must know how to calculate the actual cost of a countermeasure to properly weigh it against the benefits and savings the countermeasure is supposed to provide. 

The following is a shortlist of what is generally expected from the results of risk analysis: 

• Monetary values are assigned to assets 
• Comprehensive list of all possible and significant threats 
• Probability of the occurrence rate of each threat 
• Loss potential the company can endure per threat in 12 months 
• Recommended safeguards, countermeasures and actions 

Once we've identified and valued assets and their associated risks, we can move forward with analyzing these risks in detail. 

Analysis 

In the process of risk management, we perform two different analyses that include: 

• Threat analysis 
• Risk analysis 

With either, two approaches to risk analysis can be taken: 

• Quantitative analysis: Attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis, all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty and probability, are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible. 
• Qualitative analysis: This analysis is scenario-driven and doesn't attempt to assign numeric values to the risk analysis's components (assets and threats). In qualitative risk analysis, we develop realistic scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it's possible to conduct a purely qualitative risk analysis. 

Threat analysis 

Threat analysis examines the sources of cyber threats and evaluates them to the information system's vulnerabilities. The objective of the analysis is to identify the threats that endanger a particular information system in a specific environment. 

It consists of four steps that include: 

1. Define the actual threat. 
2. Identify possible consequences to the organization if the threat is realized. 
3. Determine the probable frequency of a threat. 
4. Assess the probability that a threat will materialize. 

An organization should be well prepared for all types of threats. The number and types of threats can be overwhelming but can generally be categorized as: 

• Natural: Earthquakes, floods, hurricanes, lightning, fire and so on. 
• Man-made: Unauthorized access, data entry errors, strikes/labor disputes, theft, terrorism, social engineering, malicious code and viruses and so on. 

Threats must be identified, classified by category and evaluated to calculate their damage potential to the organization. Today, the focus is increasingly on applications, devices, viruses and hacking as information security becomes more critical to business operations. 

Risk analysis 

The next element in risk management is risk analysis. A risk analysis brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization's development of an effective risk management strategy. 

It consists of four steps: 

1. Identify the assets to be protected, including their relative value, sensitivity or importance to the organization; this is a component of risk identification (asset valuation). 
2. Define specific threats, including threat frequency and impact data; this is a component of risk identification (threat analysis). 
3. Calculate annualized loss expectancy (ALE). 
4. Select appropriate safeguards; this is a component of both risk identification and risk control. 

The (ALE) provides a standard, quantifiable measure of a realized threat's impact on an organization's assets. ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. ALE is determined by this formula: 

Single loss expectancy (SLE) x annualized rate of occurrence (ARO) = (ALE) 

Where: 

• SLE is a measure of the loss incurred from a single realized threat or event, expressed in dollars; it is calculated as asset value ($) x exposure factor (EF). 
• EF is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage. 
• ARO is the estimated annual frequency of occurrence for a threat or event. 

While the analysis process provides a framework for understanding risks, organizations often need standardized methodologies to implement these analyses effectively. 

Risk assessment methodologies 

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. 

NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a "Risk Management Guide for Information Technology Systems" and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps: 

• System characterization 
• Threat identification 
• Vulnerability identification 
• Control analysis 
• Likelihood determination 
• Impact analysis 
• Risk determination 
• Control recommendations 
• Results documentation 

Failure Modes and Effect Analysis (FMEA) is another method for determining functions, identifying functional failures and assessing the causes of failure and their failure effects through a structured process. 

The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. The FMEA methodology uses failure modes (how something can break or fail) and effects analysis (impact of that break or failure). 

FMEA is most useful as a survey method to identify major failure modes in a given system; the method is not as useful in discovering complex failure modes that may be involved in multiple systems or subsystems. 

By following a specific order of steps, the best results can be maximized for an FMEA: 

1. Start with a block diagram of a system or control. 
2. Consider what happens if each block of the diagram fails. 
3. Draw up a table in which failures are paired with their effects and an evaluation of the effects. 
4. Correct the design of the system and adjust the table until the system is not known to have unacceptable problems. 
5. Have several engineers review the Failure Modes and Effect Analysis. 

Unfortunately, security policies, standards and management guidelines often are written because an auditor instructed a company to document these items, but then they are placed on a file server and are not shared, explained or used. To be useful, they must be put into action. To be effective, employees need to know about all the potential risks that may be encountered in their organization. 

With these methodologies in mind, let's look at how to put risk management into practice within an organization.

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Implementing risk management

Proper risk management requires a strong commitment from senior management, a documented process that supports the organization's mission, an information risk management policy, and a delegated team for that. 

To implement risk management effectively, a proper policy should be documented. The policy should address the following items: 

• The objectives of the Risk management team. 
• The level of risk the organization will accept and what is considered an acceptable level of risk. 
• Formal processes of risk identification. 
• The connection between the risk management policy and the organization's strategic planning processes. 
• Responsibilities that fall under risk management and the roles to fulfill them. 
• The mapping of risk to internal controls. 
• The approach toward changing staff behaviors and resource allocation in response to risk analysis. 
• The mapping of risks to performance targets and budgets. 
• Key indicators to monitor the effectiveness of controls. 
• The policy is the initial step as it provides the foundation and direction for the organization's security risk management processes and procedures and should address all issues of information security. 

In the process of risk management, we perform risk analysis and risk assessment. To implement risk analysis concepts, we must prepare a potential risk analysis team. The same goes for the assessment process; we must implement the potential methods to mitigate risk. 

Risk analysis team 

Risk analysis plays an important role in the process of risk management. It helps integrate the security program objectives with the company's business objectives and requirements and also allows the company to draft a proper budget for a security program and its constituent security components. 

Each organization has different departments, and each department has its own functionality, resources, tasks and quirks. For the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. This is the most effective way because if the risk analysis team comprises only individuals from the IT department, it may not understand how the company as a whole would be affected if an accidental or intentional act wiped out the accounting department's data files. To ensure comprehensive risk assessment, the team should structure their analysis around four fundamental questions: 

• What event could occur (threat event)? 
• What could be the potential impact (risk)? 
• How often could it happen (frequency)? 
• What level of confidence do we have in the answers to the first three questions (certainty)? 

Viewing threats with these questions in mind helps the team focus on the tasks at hand and assists in making the decisions more accurate and relevant. 

Control 

As far as CISSP is concerned, the candidate must know all the core elements of risk management that include control. Risk control is a safeguard or countermeasure that reduces the risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk. 

Risk control can be done through one of three general remedies: 

Risk reduction 

Mitigating risk by implementing the necessary security controls, policies and procedures to protect an asset. This can be achieved by altering, reducing or eliminating the threat and/or vulnerability associated with the risk. 

Risk assignment 

To avoid risk outcomes, we can assign the potential loss associated with a risk to a third party, such as an insurance company. 

Risk acceptance 

It involves the acceptance of the loss associated with a potential risk. 

Types of security controls 

Security controls can be categorized into five distinct types, each serving a specific purpose in the organization's security framework: 

1. Directive Controls: Policy and standard that advise employees of the expected behavior for protecting an organization's information assets from unauthorized access. 
2. Preventive Controls: Physical, administrative and technical measures intended to prevent unauthorized access to an organization's information assets. 
3. Detective Controls: Practices, processes and tools that identify and possibly react to unauthorized access to information assets. 
4. Corrective Controls: Physical, administrative and technical countermeasures designed to react to a security incident(s) to reduce or eliminate the opportunity for the unwanted event to recur. 
5. Recovery Controls: The act of restoring access controls to protect an organization's information assets. 

Categories of security controls 

Security controls can be organized into three main categories, each serving different aspects of an organization's security posture: 

• Management (Administrative) Controls: Policies, Standards, Processes, Procedures, & Guidelines 
  • Administrative Entities: Executive-Level, Mid.-Level Management 
• Operational (and Physical) Controls: Operational Security (Execution of Policies, Standards & Process, Education & Awareness) 
  • Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc 
  • Physical Security (Facility or Infrastructure Protection) 
  • Locks, Doors, Walls, Fence, Curtain, etc. 
  • Service Providers: FSO, Guards, Dogs 
• Technical (Logical) Controls: Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation. 
  • Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk. 

Understanding how to implement these controls throughout a system's lifetime is crucial for maintaining effective security. 

Security in the system life cycle 

Security must be integrated throughout a system's entire lifecycle, from initial concept to eventual disposal. The IEEE 1220 standard provides a structured framework that addresses security considerations at each development phase. This approach helps organizations maintain consistent security controls and adapt them as systems evolve over time. Let's examine each phase and its security requirements: 

Initiation Phase (IEEE 1220: Concept Stage) 

• Survey & understand the policies, standards and guidelines 
• Identify information assets (tangible & intangible) 
• Define information security categorization & protection level 
• Define rules of behavior 

Acquisition / Development Phase (IEEE 1220: Development Stage) 

• Conduct business impact analysis (a.k.a. risk assessment) 
• Define security requirements and select security controls 
• Perform cost/benefit analysis (CBA) 
• Security planning (based on risks & CBA) 
• Practice Information Systems Security Engineering (ISSE) Process to develop security controls 
• Develop security test & evaluation plan for verification & validation of security controls 

Implementation Phase (IEEE 1220: Production Stage) 

• Implement security controls in accordance with baseline system design and update system security plan 
• Perform Security Certification & Accreditation of the target system 

Operations / Maintenance Phase (IEEE 1220: Support Stage) 

• Configuration management & performs change control 
• Continuous monitoring — perform a periodic security assessment 

Disposition Phase (IEEE 1220: Disposal Stage) 

• Preserve information: archive and store electronic information 
• Sanitize media: Ensure the electronic data stored on the disposed of media are deleted, erased and overwritten 
• Dispose of hardware. Ensure all electronic data resident in hardware are deleted, erased and over-written (i.e. EPROM, BIOS, etc.) 

Classification 

In the context of risk management in CISSP, classification is the process in which we identify and characterize the critical information assets (i.e. sensitivity). Moreover, we explain the level of safeguarding (protection level) and how the information assets should be handled (sensitivity and confidentiality). 

Process of classification 

Implementing a classification system requires a systematic approach involving several key steps: 

• Determine data classification project objectives 
• Establish organizational support 
• Develop data classification policy 
• Develop data classification standard 
• Develop data classification process flow and procedure 
• Develop tools to support processes 
• Identify application owners 
• Identify data owners and date owner delegates 
• Distribute standard templates 
• Classify information and applications 
• Develop auditing procedures 
• Load information into a central repository 
• Train users 
• Periodically review and update data classifications 

Classification levels 

The standard classification system includes three primary levels, each defined by the potential impact of unauthorized disclosure: 

• Top Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority can identify or describe. 
• Secret shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority can identify or describe. 
• Confidential shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority can identify or describe. 

While classification provides a structure for protecting information assets, maintaining security requires ongoing vigilance. 

Continuous monitoring 

However, performing risk analysis and assessment will not make your organization secure. There is no such thing as fully secured. So, you must maintain preparedness by monitoring and managing risks. There are systems available from which we can monitor network traffic to detect and prevent any threat or risk. 

Intrusion prevention and detection 

• Intrusion Prevention System (IPS): An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. It is an Inline preventive control device. 
• Intrusion Detection Systems (IDS): An Intrusion Detection System (IDS) is a device or software application that monitors a network or system for malicious activity or policy violations. It is a Passive monitoring device that passively monitors and audits transmitted packets. 

IDS analysis methods and engine 

IDS systems employ several different methods to detect potential security threats, each with its own strengths and approach: 

• Pattern Matching Method 
  • Scans incoming packets for specific byte sequences (signatures) stored in a database of known attacks 
  • Identifies known attacks 
  • Require periodic updates to signatures 
• Stateful Matching Method 
  • Scan traffic stream rather than individual packets 
  • Identifies known attacks 
  • Detects signatures across multiple packets 
  • Require periodic updates to signatures 
• Statistical/Traffic Anomaly-based 
  • Develop a baseline of "normal" traffic activities and throughput 
  • Can identify unknown attacks and DoS 
  • Must have a clear understanding of "normal" traffic for IDS tuning 
• Protocol Anomaly-based 
  • Looks for deviations from RFC (Request for Comment) standards 
  • Can identify unknown attacks 

Audit trail monitoring 

The audit trail is a record of system activities that capture system, network, application & user activities. It alerts security officers of suspicious activities, provides details on non-conformance or illegal activities and information for legal proceedings. 

By applying and implementing the methods and systems mentioned above, we can minimize the risks and prepare our organization for any potential risk. However, we cannot eliminate the risk factor completely — we must adopt and implement the risk management concepts to mitigate the risks. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Additional resources 

To learn more about CISSP certification and advance your cybersecurity career, check out these free resources: 

• CISSP exam tips and tricks: A comprehensive guide covering CISSP exam advice 
• Cybersecurity salary guide: Detailed information about CISSP and other certification salaries 
• Cybersecurity certifications and skills roadmap: Your guide to CISSP and other in-demand certifications 
• Our CISSP training hub: Even more CISSP resources and training options 

Ready to start your CISSP journey? Enroll in our CISSP Boot Camp to get expert training and earn your certification.