Risk Terminology
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of risk management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Risk management problem space and management flow

  • Definitions, terminology, and types of risks

  • Control Categories and Functions

  • Cost-Benefit Assessment

  • General Risk Assessment Model

  • Overall Control Objectives

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Now, the terminology that you see here are terms that we've used before. We've defined these just moments ago, and the reason that this is here is to prompt you to think about how you and your organizational context would be thinking of these various terms. How do you define asset? What methods do you use for valuing it? What are particular threats and threat agents that your operational context would consider live threats against you? Do you have specific or unique vulnerabilities? Do you know what they are? Would you know it if you saw it? Exposure, how does your business calculate exposure? Is it exploitability or is it possibly a financial loss level? How do you calculate risk? Possibly the probability of an event occurring or the financial loss potential again? What are controls or safeguards that you consider to be acceptable? Which ones have you not considered? Which ones may be brand new? At the same time, which ones may have primary effects that are good, but may have secondary impacts that are not? How do you consider countermeasures, reactive methods to oppose threats as they become materialized? What sort of specific or unique attacks does your business context experience? And then if you deal with different kinds of regulated information, what form of breach is the kind that takes place? Do you have controls in place to cope with that?

It's vitally important that you have clear definitions in your business context for each of these terms so that everything is measured and is specific and properly related to your operational context. As you're going through constructing your problems, looking at risk and how to mitigate it, you'll do a threat source survey.

The threat source survey looks at sources of threats from human, whether human-made, but the kind that can fail a passive one, or human-driven, an active threat that would conform to the definition of attack. And then of course we have our natural sources. What is the character, technological or non-technological? Is there a motivating force behind it? In other words, is it human-driven or is it simply something that happens perhaps characterized as intentional or unintentional? Origin and geography. This is where we consider whether it's an insider, an internal threat, or an outsider and an external threat.

Scope and intent. Is it isolated? Is it contained? Or is it pervasive? Is it expansive, actively so? Then we have to consider whether or not it is hostile or non-hostile. A light bulb that extinguishes itself at the end of its life is not hostile, but something that is done by internal sabotage would be considered hostile.

Viruses are sometimes considered to be hostile and sometimes non-hostile, depending upon how they're driven, what they perform in the way of damage, if any. Can you foresee it or is it something that you cannot foresee such as a zero day might be? Some things are indefensible. What do you do about those? In today's age, you have to consider an indefensible threat, what that would look like and how it would arrive at your doorstep. Many that we see are defensible so long as we accept the reality that they are.

Could it be just a failure, an accident, or is it something more dark than that? There are the type that are intense, meaning high and fast, or the gradual type, low and slow. These make you consider detective methods, response methods. For a high-end fast type, there may be nothing you can do except to let it expire itself and pick up the pieces afterwards. The low and slow type may on the other hand be more difficult to detect because of how they're done. Are you prepared to deal with either one of these?

As you look through all of these, you have to consider how live they are, how prevalent they are, how much of a target you are. And as you consider them, you have to consider what the attack flow would be like, how it would transpire, and where you might be able to make a difference, accepting for instance, that it may not be possible always to understand that well enough to mount what you hope is a completely impervious defense. And that means you have to think of layers of defense. Now this is our classic annualized loss expectancy calculation.

This of course is the calculation that we have used for decades to make a rough order of magnitude determination about what we have in the way of a threat agent that materializes, causes some form of negative impact on an asset, that takes it at least partially or completely out of operation. Then by figuring out how often it occurs, we calculate an annualized loss expectancy.

Now these are calculated by each interaction that we have or by a category, so that we can come up with an indication or a budget amount for how we put together our controls selections, and budget to oppose these things, offset them in some way, through a combination of proactive and reactive measures.

So to walk through the diagram, we have our asset value there in the green, and TCO means that these need to be calculated on a total cost of ownership basis. There in the red next to it, we take the exposure factor, calculate it as a percentage of capability or capacity lost. These two together, produce our single loss expectancy, which is exactly what it is defined as, this is, this event whatever it is that has happened happening once. Then we look back through historical records to calculate the annual rate of occurrence.

For example, something that happens once per year would be a decimal 1.0, happening once per month, a whole number 12, if it happens less than one time per year, let's say three times in five years, the ARO becomes 0.6, indicating it happens three times in five years. Calculating that with the single loss expectancy produces the budget number, the annualized loss expectancy, which will then be used to apply to a budget and a set of controls or other kinds of measures that we will use to offset this and all the other scenarios like it.

Here, we have a graphic representation of what it is we're trying to achieve. Now, here, you see the formula, R sub t is greater than R sub a, which is greater than or equal to R sub r. Now this represents the ideal relationship. The total risk, R sub t, the acceptable risk, R sub a, and the residual risk, R sub r, and the relative relationship of these three elements.

What it shows is when the residual risk is less than or equal to at its greatest to the acceptable limit set by management, it means a couple of things. It means that the acceptable risk, of course, must always encompass any compliance items as part of this attainment and it reemphasizes that all dollar values should be based on the total cost of ownership and use the appropriate valuation method usually found in the accounting department of the business.

So to look at our graphic, the total risk is, as we said earlier, it is all the risks and possible losses founder inherent in the context, before we have done anything. Picture yourself walking into a room full of computer equipment. As you enter, you close the door behind you. You haven't done anything except stand there in the doorway, looking at the room and beginning to formulate how you're going to proceed.

At this point, you are looking at the total risk. Now this is calculated as, threats times vulnerabilities times asset value. Now it should be said that this is not strictly speaking mathematics. What it's showing is the realization of a relationship between threats, acting upon vulnerabilities, which in their turn are acting upon and diminishing an asset value. And that gives us the total risk.

Then we have the acceptable risk, which is a level set by management that is equal to the amount of impact that it can suffer and continue to operate either in a slightly diminished capacity, but without severe impact or continue to operate without any diminution in their ability to operate at all. The acceptable risk can be something that is arbitrary set by management, or it can be based on financial and probabilistic calculations. However, it is a real value that we use to define the acceptable risk and set between total risk and residual.

Now the residual risk is the total risk minus the reductions that have been attained through our mitigation program, and that gives us the resultant residual risk, which is what remains after all cost-effective measures have been taken. Now a way to calculate the risk exposure in a qualitative method. First, we use the table to show likelihood and consequences.

Now this is a two character measurement. On the one hand, we have the likelihood and on the other, we have the impact magnitude. We consider certain as grate A, catastrophic also as grade A. Then we have a diminishing scale, highly likely, moderately likely, unlikely or rare. And then from catastrophic, we work downwards to major, moderate, minor, negligible.

So the two character rating, let's say that it's highly likely, but it only produces minor impact. That would be a rating of B/D. Highly likely B in its likelihood of occurrence, but only minor D in its impact magnitude. Then we think about the other characteristics that are relevant to this. The qualification and rating gives us additional clarity about the sort of skill, if skill is what is needed, ease of access, incentive, or resource requirements that may be required for addressing this particular attack from the attacker's point of view.

We calculate a level that goes from low at one to very high at five. When we calculate the level of skill, ease of access, incentive, resource requirements, we come up with four digits and for simplicity's sake, we'll say that it's five, four, three, two, and that can give us an understanding of how we might need to address skill, access, incentive, or resource requirements along with likelihood and impact magnitude to come up with a total rating for a given threat impact scenario.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.