Security Risk Identification


Risk Management
Risk Management

The course is part of this learning path

Security Risk Identification

This Course looks at the key aspects of risk management, including risk identification, risk mitigation, and risk controls. We look at the ISO frameworks and the processes you can put in place to manage risks within your organisation.

We then move on to how to assess and identify risks. We look at the difference between qualitative and quantitative risk assessments, as well as considering the guidelines set out by NIST. We move on to look at the main tenants of risk mitigation, which include risk reduction, risk avoidance, risk transfer, and risk retention, before finally looking at the controls you can put in place to counteract risks.

Learning objectives

  • Understand the organisational processes needed to manage risks.
  • Learn how to assess and identify risks.
  • Learn about risk reduction, risk avoidance, risk transfer, risk retention, and risk controls.

Intended audience

This Course is intended for anyone who wants to improve their knowledge of risk management in an information security context.


We recommend taking this Course as part of the IT Security Fundamentals Learning Path.


Hello and welcome back. Let’s review the process of doing risk identification. In the previous lecture, we were looking at threats, before moving onto assets and then finding the threats that are faced by those assets, whether they're deliberate threats or inadvertent threats. That identification process becomes a list of assets known as an 'asset list' or an 'asset register'.

Asset registers are often one of the hardest things to maintain because things change hands all the time. And there are obviously the potential threats that we have against those assets and the existing controls that we have for them; the list of vulnerabilities that are linked to known threats and incidents. While we have this as security risk identification, there's another process that we call 'business impact analysis' that we'll get to later.

NIST provides a set of guidelines looking at a scope and looking at assets. 

Doing an asset valuation. Asset valuations help us know which assets to spend the most money protecting. And that also helps us chose our controls. Safeguard analysis: has what we've done worked? Vulnerability analysis: what type of vulnerability is it? Can we leave it? And then the likelihood assessment. And then we basically interpret all these results and do some sort of acceptance implementation of cost-effective controls, always balancing cost versus impact.

So, some of us would do this on a risk calculation matrix. This is known as a qualitative risk assessment, or qualitative risk matrix, where we look at risk and we give risk words that are subjective, based on our view of risk. So we've got probability on the side there. And we've got the impact on the right. So, you can see all we're doing here is impact times likelihood, as we mentioned before. That's all it is. 

So, as an example -  what's the likelihood that one of your colleagues in your organization will lose their laptop in the next six months? What is the likelihood of that occuring? You might say it’s probably unlikely. But what would be the impact if it did happen? It could be a moderate risk as let’s say your laptops are encrypted. But if there was no encryption, the impact would be high. So then, you've applied a control beforehand and that control has mitigated against the risk and brought it down to a minor-medium level in this case.

And that's how we do qualitative risk assessments. They're really simple with these 5x5 risk matrices. When we put numbers on this, it becomes a semi-qualitative risk assessment, because we've now added numbers. Just to give that extra granularity.

Okay, as you can see here, it says low risk - we've got the routine acceptance. We accept that risk. Okay if it's low, it's under what we would call our 'risk acceptance criteria'.

Medium risk: we need to take some sort of action to monitor it. So, we'd be monitoring loss of laptops.

High risk: action needs to be taken to compensate for the risk. So, we need to put controls in place straight away. 

Extreme: this is for immediate action required to mitigate risk or decide not to proceed with a certain activity. 

First, let's do some of our calculations. So, this was qualitative, which is subjective. It's based on feelings. We don't have to have high, medium, and low here. We could actually just say amber, green, and red. But whatever it is that will translate that information to your staff the best, that's what you will use.

Now, the one that's not subjective at all in any shape or form, is quantitative. Why? Because it uses numbers and numbers don't lie.

We've got quantitative risk assessments here. We've got what's known as the asset value, AV. We're going to calculate what's known as the SLE, using the AV and the EF. We've got SLE. This SLE stands for Single Loss Expectancy. It is how much we expect to lose if an incident happens once.

Single loss expectancy. It's calculated by the asset value, AV, multiplied by what we call the EF. And that gives us a percentage. 

EF stands for exposure factor. The exposure factor is how exposed that asset is to that particular threat. We multiply the asset value by our exposure factor for a particular threat and that then gives us our single loss expectancy - how much we expect to lose if it happens once. That’s SLE. It's a percentage. Let's say that the asset value was $200 and the exposure factor was 50%. That's $100. Fantastic. That's how much we expect to lose if it happens once.

We then take that and we do a calculation called ALE (pronounced ale). This stands for annualized loss expectancy. That is how much it's going to cost us if the incident happens every year. How much it's going to cost us every single year if this happens.

How do we do that then? We take our single loss expectancy, and we times it by something called the ARO. Well, if it happens every year, we need to know how often it happens every year. So that A is still annualized, but the R is rate of occurrence. So annualized rate of occurrence. 

Now, the annualized rate of occurrence, you get that information from the previous metrics that you've got, how often it's happened before. You could also get it from insurance companies as well. You could get it from competitors. How often has it happened to them? And you enter that into your equations and you get your ALE out.

So, it’s just impact times likelihood. That's all it is all over again. So we're still doing risk calculation, we're just doing a bit more of a detailed version of it. When we did our other version, this was still just impact and likelihood. So it's no different now, it’s just that we're using numbers and drilling down to the actual detail.

About the Author
Learning Paths

Originating from a systems administration/network architecture career, a solid part of his career building networks for educational institutes. With security being a mainstay his implementation he grew a strong passion for everything cyber orientated especially social engineering. The educational experience led to him mentoring young women in IT, helping them to begin a cyber career. He is a recipient of the Cisco global cyber security scholarship. A CCNA Cyber Ops holder and elected for the CCNP Cyber Ops program.