Quick Reference
Risk = Likelihood × Impact. The four risk responses are Accept (live with it), Avoid (stop the activity), Transfer (insurance/contract), Mitigate (reduce it). Key formulas: SLE = Asset Value × Exposure Factor | ALE = SLE × ARO. Residual risk is what remains after controls are applied. Inherent risk is the raw risk before any controls.

What Is Risk?

In information security, risk is the potential for loss or harm resulting from a threat exploiting a vulnerability. Every risk has three components: a threat (the actor or event that could cause harm — ransomware, fire, insider), a vulnerability (the weakness that could be exploited — unpatched system, weak password, unlocked server room), and an impact (the consequence if the threat succeeds — data loss, downtime, regulatory fine).

Risk management is the ongoing process of identifying, assessing, prioritizing, and responding to risks in a way that balances security investment against business needs. No organization can eliminate all risk — the goal is to reduce risk to an acceptable level and make informed decisions about what risk to accept.

Qualitative vs Quantitative Risk Analysis

ApproachHow It WorksOutputWhen to Use
QualitativeAssigns descriptive ratings — High/Medium/Low likelihood and impact. Uses risk matrices (heat maps). No math required.Risk ranking (e.g., "This risk is High likelihood, High impact")Initial assessments, when data is unavailable, quick prioritization
QuantitativeAssigns monetary values to assets and calculates expected losses using SLE, ARO, and ALE formulas.Dollar figures (e.g., "This risk costs $240,000/year on average")Justifying security budget, comparing risk to control cost, mature programs

Quantitative Risk Formulas — The Math You Need

Quantitative Risk Calculations
SLE = Asset Value (AV) × Exposure Factor (EF)
ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)
Value of Control = ALE (before control) − ALE (after control) − Cost of control

Asset Value (AV) — the monetary value of the asset at risk. A database server containing customer PII might be valued at $500,000 when replacement cost, data recreation, and regulatory exposure are included.

Exposure Factor (EF) — the percentage of the asset's value that would be lost if the threat occurred. A fire that destroys a server room has an EF of 1.0 (100%). Ransomware that encrypts files but leaves hardware intact might have an EF of 0.5 (50%).

Single Loss Expectancy (SLE) — the expected dollar loss from a single occurrence of the threat. SLE = AV × EF. If a server worth $500,000 has an exposure factor of 40% for a particular threat, SLE = $500,000 × 0.4 = $200,000.

Annualized Rate of Occurrence (ARO) — how many times per year this threat is expected to occur. Once every 10 years = ARO of 0.1. Twice per year = ARO of 2.

Annualized Loss Expectancy (ALE) — the expected annual cost of a risk. ALE = SLE × ARO. This is the number used to justify security spending — if a control costs less per year than it reduces ALE, it's worth implementing.

💡 Worked Example

A web server worth $400,000 faces a DDoS threat with an exposure factor of 25% and an ARO of 4 (occurs 4 times per year on average).

SLE = $400,000 × 0.25 = $100,000

ALE = $100,000 × 4 = $400,000/year

A DDoS mitigation service costing $150,000/year that reduces the ARO to 1 would produce an ALE of $100,000 — saving $250,000/year. The control is clearly worth implementing.

The Four Risk Response Strategies

Accept
Risk Acceptance
Acknowledge the risk and choose to do nothing about it. Appropriate when the cost of mitigation exceeds the expected loss, or when the risk is very low. Must be a documented, deliberate decision — not an oversight.
🚫
Avoid
Risk Avoidance
Stop the activity that creates the risk. If storing credit card numbers creates PCI-DSS compliance risk, stop storing them. Avoidance eliminates the risk entirely but may require changing business processes.
📋
Transfer
Risk Transference
Shift the financial impact to a third party. Cyber insurance transfers the financial consequences of a breach to the insurer. Outsourcing to a managed service provider transfers operational risk. The risk still exists — you just don't bear the full cost.
🛡️
Mitigate
Risk Mitigation
Reduce the likelihood or impact of the risk through controls. Patching reduces the likelihood of exploitation. Backups reduce the impact of ransomware. Encryption reduces the impact of data theft. The most common response.

Inherent Risk vs Residual Risk

Inherent risk is the raw level of risk that exists before any controls are applied. If you run a public-facing web application, the inherent risk of SQL injection attacks is significant — it's simply the nature of the activity.

Residual risk is the risk that remains after controls have been applied. After implementing input validation, a WAF, parameterized queries, and regular security testing, the residual risk of SQL injection is much lower — but it's never zero. Security programs aim to reduce risk to a residual level that the organization accepts.

Risk Register

A risk register is a document (or database) that records all identified risks, their likelihood and impact ratings, current controls, risk owners, and response decisions. It's the central artifact of a risk management program. The exam expects you to know that risk registers are maintained and updated continuously — risks change as the environment changes, controls are added or removed, and new threats emerge.

Business Impact Analysis (BIA)

A BIA identifies critical business functions and determines the maximum downtime each can tolerate. BIA outputs include RTO (Recovery Time Objective — how quickly a system must be restored) and RPO (Recovery Point Objective — how much data loss is acceptable). These values drive disaster recovery planning and system backup strategies. A payment processing system might have an RTO of 4 hours and an RPO of 15 minutes; an internal wiki might have an RTO of 1 week and an RPO of 24 hours.

Exam Scenarios

A company's security team calculates that a server has an asset value of $300,000, an exposure factor of 50% for fire damage, and a fire occurs on average once every 5 years. What is the ALE?
SLE = $300,000 × 0.5 = $150,000. ARO = 1/5 = 0.2. ALE = $150,000 × 0.2 = $30,000/year. If a sprinkler system costs $10,000/year and reduces the exposure factor to 10%, the new ALE = $60,000 × 0.2 = $12,000 — saving $18,000/year against a $10,000 cost. Worth implementing.
A security team determines that the cost of encrypting archived data would exceed the potential impact of a breach. They document this decision and proceed without encryption. What risk response strategy is this?
Answer: Risk acceptance. The team has made a deliberate, documented decision to accept the risk because the mitigation cost exceeds the expected loss. This is not negligence — it's a valid risk management decision when documented and approved by appropriate stakeholders.
After implementing firewalls, IDS/IPS, and regular patching, a company still faces some residual network intrusion risk. What should they do with this remaining risk?
Answer: Apply one of the four risk responses to the residual risk — accept it if it's within tolerance, add additional controls to mitigate further, transfer it with cyber insurance, or avoid the underlying activity. Residual risk always requires an explicit management decision.

Related Articles

Business Continuity — BCP, DRP, RTO, RPO Security Frameworks — NIST, ISO 27001 Vulnerability Scanning Incident Response Explained Security+ Study Guide Security+ Cheat Sheet