Overall Control Objectives
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of risk management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Risk management problem space and management flow

  • Definitions, terminology, and types of risks

  • Control Categories and Functions

  • Cost-Benefit Assessment

  • General Risk Assessment Model

  • Overall Control Objectives

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So as we complete this, let us think about what it is we're trying to accomplish. Here you see four area grid with impact and likelihood as our axes. In general, what we're trying to do is move from the upper right to the lower left in terms of how we want the strategy to go and what final result we'd like to achieve. Which is basically to reduce the risk in terms of impact and likelihood of occurrence.

We have to bear in mind that some of our risk threat vulnerability asset scenarios are not going to be amenable to reducing the threat, the impact or some other aspect. In the case of impact, as we move from the upper to the lower quadrants, we find that we go from high impact to low. As we move horizontally from the right to the left, we find that we reduce likelihood from high to low.

We have to bear in mind that some of these scenarios are not going to change in any respect. A threat that's in the high impact, high likelihood may stay because there's nothing effective that we can do about it. On the other hand, it may move only in one direction, from high impact to low or from high likelihood to low.

Whatever benefit we can get against either impact or likelihood should work in our favor to reduce the risk overall and provide us the ability to reduce proactively or reactively or in combination, the threat risk scenarios that can cause outages in our business.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.