CISM Foundations: Module 3
Part One: Analysis of Risk

This course explores risk analysis and prepares you for the CISM examination, which will cover the significant aspects of risk. We'll cover different risk levels and types of risk and how they can potentially affect an organization. We also look at the risk assessment cycle and the stages required when analyzing risk. You'll also learn about the various risk analysis methods available. Then we'll move on to how risk analysis can be used when planning and deploying risk controls and countermeasures.

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Identify risk levels and potential impact of given risks upon the assets
  • Learn about the risk assessment cycle
  • Learn about different risk analysis methods including qualitative, semiquantitative, quantitative, OCTAVE, and FAIR
  • How to use risk analysis to control threats and risk
  • Define a strategy for deploying risk countermeasures

Intended Audience

This course is intended for those looking to take the CISM (Certified Information Security Manager) exam or anyone who wants to improve their understanding of information security.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


Here we are at section five, where we're going to begin our discussion of the analysis of risk. And in this section, we're going to get into some of the detailed aspects, so that we can prepare you for the examination that will ask you about some of the more significant aspects of risk analysis.

As we're talking about confidentiality, integrity and availability, we're looking at a risk assessment beginning point. At our risk assessment beginning point, we're going to calculate the four basic characteristics of this space. We will examine asset, vulnerability, threat and time.

This four dimensional space is where we will apply risk mitigating practices and countermeasures. We'll examine asset value including both tangible and intangible data points evaluation, threats and impacts, which are defined by the type and order of magnitude of the impact, vulnerabilities which can be divided into two basic types: one of weaknesses and the other of predisposing conditions.

For clarity, predisposing conditions may not themselves be vulnerabilities, but they are very likely going to create risk by the various conditions that exist and may in fact give rise to vulnerabilities. And finally, time and how it changes the character of the asset and the value of any of these parameters under consideration.

First, let's examine the information risk management conceptual flow. So here we need to apply some definition of context. In the graphic, you see the information risk management conceptual flow. So we start at the upper left hand corner of the graphic by defining an asset or data owner and their position.

First asset and data owners seek to place value on assets, they are in the lower right hand corner and seek to minimize risk to it there just above the asset in the red block. To do so, asset or data owners will want to impose safeguards and countermeasures, there in the yellow. These controls are going to reduce, and by doing so, they're going to counteract vulnerabilities.

Now there in the lower left hand corner we have threat agents, which are the very things that actualize a threat. The difference between the two is that the threat is some form of actual impact or compromise, whereas the threat agent is the action or human or other factor that actualizes the threat.

So let's take a look at the process of risk analysis from its beginning points. The first we have to do is to set context. And to do that, we must begin by identifying our objective. We are going to identify the level of risk, we're going to understand what that risk represents and we're going to determine the consequences of the impacts upon the assets during the course of our risk analysis exercise.

To do this, we are going to examine all relevant risk sources, we are going to determine the exposure to these risks sources, we are going to determine what consequences could result from a threat acting upon an asset, we will make a determination of the probability or likelihood of these events taking place and identify all controls currently in existence in an active environment within the scope of our analysis.

To do this, it will require a great deal of information. This will come primarily from past experience, reliable practices as may be represented by the best practices of peer organizations, possible market research, the involvement of experiments to test theories, employment of models of interaction and the advice of seniors or experienced persons within our environment.

We will of course employ multiple types of techniques to do this, including interviews, simulations, and other forms of quantitative or numerical analysis. In this slide, we have information about how to examine our potential threat sources or determined characteristics about them that may serve our purposes of mitigation.

We have sources human and natural, their character being technological or non technological. Motivation is a characteristic to define whether the negative action is intentional or unintentional. We must determine the origin and geography whether it's from an inside source, by an insider or from an outside source. It will also be necessary to determine the scope and the extent to which the threat agent interaction which the asset is isolated or contained in some way, or that it's pervasive and expansive, indicating a tendency to spread.

As part of this analysis, we're going to have to evaluate the hostile or non hostile nature, whether these events or agents are foreseeable or unforeseeable. Whether these actions if identified soon enough, could have been defended against. Whether the action was the result of a failure or purely accidental. Some indication of the intensity or gradual progression of the event, and some evaluation of what may be present in the system environment that has an enabling or retarding effect on the attack agent and its actions and consequences.

Overall, our risk control objectives are on their surface relatively simple and understanding. And here you have a matrix that highlights the four essential categories of impact and probability combinations. What they represent is how to go about evaluating which of these two attributes is prone to being affected by whatever our plan may be.

As you can see, moving vertically, we increase the amount of impact, moving horizontally, we increase the level of probability of the events occurrence. And then with the blue arrow in the center, we show the general direction in which we want to move these various things from high impact to low impact and from high probability to low probability.

Going back to our slides, with regard to knowledge and awareness, urgency and importance, it affects our understanding of the situation and the various factors involved. We will be able to make prudent and informed decisions about affecting the assets potential to get impacted by a given threat and the probability that that threat will materialize to act upon the asset in a negative fashion.

Now at a detailed level, we have here the cycle that we will follow in performing our risk assessment. On the left hand side of the slide, we have risk identification in which we will look at assets and vulnerabilities. We do a risk assessment which determines the general level of likelihood, the risk determination and a cost benefit analysis that will give us a general quantification of the risk involved. We can and of course do this without looking at how to control the risks that we identify and analyze in greater detail later in this process.

As we look at controls, we want to look at the modes of risk mitigation and the effect that each one will have on the elements of impact and probability of occurrence. So we will look at strategies involving defense, transference, direct mitigation, risk acceptance and termination.

So beginning at the 12 o'clock position, we move clockwise around the cycle, gathering information, making assessments of the various risk elements that we encounter, prioritizing our findings and the asset candidates, and then planning what our responses will be.

The risk response planning will form our strategy for dealing effectively with risk. And in doing so, we will involve all of the elements of risk control that you see there on the left hand side of the slide. From this, we will formulate our plan which of course, we will execute.

In our next phase called results evaluation, we're going to evaluate two primary factors. The first factor will be how well we did in this particular exercise. The second will be how can we improve for the next one. Moving up to the nine o'clock position, we have knowledge capture, which of course reflects everything that we have learned about this situation, so that we can make this analysis as accurate as we can make it and ensure capture of that knowledge for use in future ones.

Moving up to the 11 o'clock, in the end, we put in some place form of continuous monitoring. Since it is unrealistic to think that we can adequately mitigate all risks. This will provide the necessary alerting function for those risk elements for which there may be no effective mitigation, but for which we will need some form of early warning, should their conditions change with possible adverse effects.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.