CSSLP Domain 1:2 Risk Management
Risk Management Problem Space

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of risk management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Risk management problem space and management flow

  • Definitions, terminology, and types of risks

  • Control Categories and Functions

  • Cost-Benefit Assessment

  • General Risk Assessment Model

  • Overall Control Objectives

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Welcome to section two of the CSSLP domain one entitled Risk Management. So our next area of discussion will concern the process, decision logic, and factors of risk analysis. In this section, we will explore the issues and considerations that must be taken into consideration when evaluating the risks associated with a project, a system, or a business.

With regard to the recognition of risk as a business problem rather than a technological one but with its context in the information system area and specifically to the design, build, and operation of the applications used in that business context, it becomes increasingly clear that starting out to produce systems that are secure by design, to be secure in operation is the best approach by far.

Done well, the risk analysis activity can reveal areas of exposure, the potential consequences of decisions concerning risk treatment options, and can provide the rationalization of an effective composite risk treatment strategy. And employing this from the very earliest phases of conception and requirements development will produce higher quality and more secure tools for the business to use. So this module concerns the application of risk management practices to reduce or eliminate the occurrence of these outcomes through the practice of risk management and the actions that can result from it.

The general focus of risk management then is to identify the potential threat-asset-vulnerability combination, that, if compromised, damages the organization's ability to deliver its product or service. The object then of risk management in the software development process is to identify places and ways where software can cause unexpected results, be modified to cripple the user's ability to perform or to invade the software to prevent its correct operation. These outcomes can be the result of different factors, such as process failures, testing failures, intentional sabotage, among others.

Here, you see the risk management problem space. It is a four-dimensional space in which to apply risk-mitigating practices and countermeasures. We have asset value, and in the calculation in a risk management problem, we have to compute it based on the tangible and intangible factors. Things about it directly, such as accounting factors, and things that are more intangible, such as value contributions and other perceptions. Intangible though they may be, they still contribute real value and real importance to it in the minds of the business and the managers of it.

Next, we have threats and their impacts. In this, we compute the type of threat that it is and its impact, of course, and the order of magnitude, anywhere from small to insignificant, to something bordering on major to catastrophic. We have to consider vulnerabilities, which are basically divided into two types of vulnerabilities. Ones that are direct that produce a weakness in the particular context that we're examining in this problem.

Then, we have predisposing conditions, which may themselves not be risks as such but may give rise to vulnerabilities that can then be exploited or, in the case of a natural hazard, something that simply happens due to a natural event, such as an earthquake or a tornado. And of course, we have to consider time.

Time, as we know, changes the character and the value of nearly any asset, or business, or other thing of value that we're going to consider in a problem of this type. And if we are projecting this over a period of time, say a year to three years in a time horizon, we have to consider time as it affects these things because, as it does, it may change our consideration of the asset and our strategic approach to mitigation treatment.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.