1.9 ~55 min

Understand and apply risk management concepts

Overview

The most testable lesson in Domain 1. Know quantitative formulas (AV, EF, SLE = AV×EF, ARO, ALE = SLE×ARO) vs qualitative analysis, the four risk responses (mitigate, transfer, avoid, accept), residual risk, and control types/categories.

Key topics to master

Threat and vulnerability identification
Risk analysis, assessment, and scope (quantitative SLE/ALE vs qualitative)
Risk response/treatment (mitigate, transfer, avoid, accept); cyber-insurance
Control types: preventive, detective, corrective, deterrent, compensating, recovery, directive
Control assessments; continuous monitoring; reporting; continuous improvement
Risk frameworks: ISO, NIST (RMF), COBIT, SABSA, PCI

Previous · 1.8Contribute to and enforce personnel security policies Next · 1.10Threat modeling concepts and methodologies