An AI model capable of uncovering thousands of zero-days and chaining them into automated exploits isn't just a alarming headline — it's a live stress test for every risk program in existence. We kick off with what the Mythos news actually means for defenders: attacker timelines may compress from human pace to machine speed, and most SIEM and EDR tools are still tuned to catch humans. We get candid about what security teams should be doing right now, from hardening external attack surfaces to accelerating zero trust adoption.

From there, we shift into CISSP Domain 1 risk management — but we translate the exam language into decisions you'll actually face on the job. We break down core concepts like assets, threats, vulnerabilities, exposure, safeguards, attacks, and breaches, then walk through control categories (technical, administrative, physical) and control types (preventive, detective, corrective, deterrent, recovery, and compensating). We also tackle one of the most misunderstood areas in risk: the difference between risk appetite, risk capacity, and risk tolerance — and why business leaders must be in that conversation.

We round out the episode with quantitative vs. qualitative risk analysis, including the key CISSP formulas — AV, EF, SLE, ARO, and ALE — along with an honest look at "fake precision" and how to build a cost-benefit analysis that actually holds up. We also cover security control assessments, monitoring and measurement, structuring a risk register, and how maturity models and frameworks like CMMI, ISO 31000, NIST, ISO 27005, COBIT, SABSA, and PCI DSS fit into a defensible risk program.

If you're studying for the CISSP or leading a security team, this one's worth sharing.

🎯 Get 360 FREE CISSP Practice Questions delivered straight to your inbox at FreeCISSPQuestions.com — and give yourself a real edge going into exam day.

BLOG POST

CISSP Domain 1 (1.10): Risk Management Concepts — Formulas, Frameworks, Controls, and AI Threats Explained

Why Is Risk Management the Foundation of CISSP Domain 1?

No organization can eliminate all risk. The goal of risk management is to identify what matters, quantify potential loss, and make rational decisions about how much risk to accept versus address. CISSP objective 1.10 tests whether you understand this as both a strategic discipline and a technical process — not just as a set of formulas.

Risk (the possibility that a threat will exploit a vulnerability and cause harm to an asset) sits at the center of every security program. All other controls, policies, and frameworks exist to manage it. Crucially, acceptable risk levels are a business decision — not a technical one. Security professionals provide analysis; business leaders set tolerance.

What Are the Core Risk Terms Every CISSP Candidate Must Know?

What Are the Three Categories of Security Controls on the CISSP Exam?

Every security control falls into one of three categories. You must be able to classify controls and select the right type for a given scenario.

• Technical controls — Hardware and software mechanisms that enforce access and security policy. Examples: firewalls, encryption, IDS/IPS, MFA, endpoint detection and response (EDR).
• Administrative controls — Policies, procedures, standards, and guidelines that define expected behavior. Examples: acceptable use policy (AUP), security awareness training, incident response procedures.
• Physical controls — Barriers and mechanisms that restrict physical access to facilities, systems, and assets. Examples: mantraps, badge readers, biometric scanners, security guards.

Within those categories, controls also have functional types: preventative (block threats before they occur), detective (identify violations after they begin), corrective (remediate and improve after an incident), deterrent (discourage attacks), recovery (restore systems and data), and compensating (provide an alternate means of achieving security when the primary control is unavailable or impractical).

How Do You Calculate ALE, SLE, and ARO for the CISSP Exam?

Quantitative risk analysis assigns real dollar values to potential losses, enabling objective cost-benefit comparisons. The core formula chain is:

In practice, these numbers require input from business stakeholders — not just IT. An ALE calculated in isolation is directionally useful at best. Precision beyond ±50% is rare without real incident history and business context. Qualitative risk analysis, by contrast, uses subjective scales (high/medium/low) rather than dollar figures — less precise but faster and still valid for prioritization.

What Are the Risk Response Options on the CISSP Exam?

Once risk is quantified, you must select a response. The CISSP exam tests all six options and their appropriate contexts:

• Mitigation / Reduction — Implement safeguards or controls to reduce the likelihood or impact of the threat. Best when mitigation cost < ALE.
• Assignment / Transfer — Shift financial responsibility to a third party, typically through cybersecurity insurance. The 2024 CISSP exam outline explicitly names cyber insurance as an example of risk treatment.
• Deterrence — Implement visible controls designed to discourage threat actors from attacking.
• Avoidance — Eliminate the risk entirely by discontinuing the activity or system that introduces it.
• Acceptance — Acknowledge the risk and consciously choose not to act, typically when countermeasure cost exceeds the ALE. Must be documented and approved by leadership.
• Rejection / Ignoring — Acknowledging a risk exists and choosing to neither document nor address it. This is not a legitimate risk management strategy and creates serious liability.

What Is the Difference Between Risk Appetite, Risk Tolerance, and Risk Capacity?

These three terms are closely related but distinct, and mixing them up is a common exam trap:

• Risk appetite — The total amount of risk an organization is willing to accept across all assets and activities. A strategic, board-level decision.
• Risk capacity — The maximum amount of risk an organization is actually able to absorb without threatening its survival. May differ significantly from appetite.
• Risk tolerance — The acceptable level of variation in risk outcomes for a specific asset or process. Operationally specific — e.g., a critical manufacturing line that cannot tolerate any downtime.

What Security Control Assessment Methods Are Tested on the CISSP Exam?

A security control assessment (SCA) is a formal evaluation of security infrastructure to determine what it protects against and where gaps remain. It is distinct from an audit — though colloquially the terms are sometimes used interchangeably. Key points:

• SCAs include both paper-based reviews (policy and documentation checks) and technical testing (penetration testing, vulnerability scanning).
• Both methods are complementary: documentation reviews confirm controls exist; technical testing confirms they function as designed.
• U.S. federal agencies implement SCAs using NIST SP 800-53, which provides a catalog of security and privacy controls. This standard also underpins CMMC assessments.
• Assessments must consider privacy implications — some controls increase protection while inadvertently creating new privacy risks.

What Is a Risk Register and Why Does It Matter for the CISSP Exam?

A risk register (also called a risk log) is a centralized document or system used to track identified risks, their status, assigned owners, and mitigation actions. It is one of the primary tools for maintaining ongoing risk visibility across an organization.

Key characteristics: it can be scoped organization-wide or limited to a single project or domain; it may be a spreadsheet or dedicated GRC software; it requires access controls — because a risk register that falls into the wrong hands is essentially a roadmap to your vulnerabilities.

What Are the Risk Maturity Models Tested on the CISSP Exam?

Risk maturity models assess how well an organization manages risk — not just whether controls exist, but how repeatable, measurable, and optimized those controls are.

Which Risk Frameworks Appear on the CISSP Exam?

How Does Autonomous AI Change the Operational Risk Landscape for CISOs?

The emergence of AI systems capable of autonomously chaining multiple vulnerabilities, generating custom exploits, and launching attacks without human intervention represents a qualitative shift in the threat environment. Current SIEM (Security Information and Event Management) and EDR (Endpoint Detection and Response) tools are calibrated to detect human behavioral patterns — not AI-speed attack sequences.

The operational implication for risk management is direct: threat models built on historical human attacker behavior must be reassessed. Risk registers need updating. Countermeasure cost-benefit analyses that assumed a certain threat frequency (ARO) may now be significantly underestimating the annualized loss expectancy.

The recommended response framework: deploy Zero Trust Architecture (ZTA) to eliminate implicit trust assumptions; harden external-facing assets immediately; and integrate AI-assisted defensive tools — while ensuring those tools themselves are governed by the same risk management discipline applied to any other critical system.

Frequently Asked Questions

TRANSCRIPT

SPEAKER_01 0:25 

Good morning everybody. It's Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be talking about areas related to the CISSP exam for risk management and the various concepts associated with it. But before we get into that, had a quick article I wanted to go into and describe and just show you a little bit about that and just kind of get your all of your opinion on it. Because, yeah, I'm a little worried, and uh I think the end of the world is about ready to hit us. Just kidding. But it could be, never know. But let's get into what we're gonna talk about today. Okay, so this is one article that I saw of many that are out there. And this is Anthropics Mythos AI can spot weaknesses in almost every computer on Earth. Yeah, and then they add a little uh uh-oh. Yeah, well, it's not gonna be a little bit more than an uh oh. So this is from CBS News. Now, I will be honest, I was I I've heard of Mythos and I'd heard of what some of the things that were going on with the Gentec, and so I wanted to do a little bit deeper dive into it myself and just kind of understand what is the concern that these folks have. Now, we all knew that AI was going to be coming quickly, and we all knew from a cybersecurity standpoint it is a double-edged sword, right? It's one of those things that it's a tool. So, like a hammer, a tool, this hammer could be used for good, right? It can help you build a house, pull out nails, you know, just knock stones into place, those types of things. But however, a hammer can also be used as a weapon, right? And we know that that can be do terrible things to people and to objects. And now we're kind of in that spot with mythos. And yeah, I'm just a little bit interesting to see how this plays out. Now, coming from my background as a cybersecurity professional and as a red teamer, um, I was a hacker for many years, and doing that was extremely challenging in many ways. And one of the things that was challenging is the fact that I had to go find exploits, I had to be able to manipulate things, I had to do different aspects that took a lot of time. And now, fast forward 20 plus years, things have changed substantially. And if you look at how things have changed just in the past, let's say three years, it is incredible. So, what is exactly going on with Mytho? So obviously it's anthropics or should say Claude's most powerful AI model ever built. And it is a different step change based on what they've done in their other systems. Now, I use Claude quite a bit, it's very, very helpful in many different ways. However, it's one of those things that I'm sure I am only just scratching the surface of what I am asking it to do. Now, it's not designed as a hacking tool, this new model, it's a general purpose model that's turned out to be incredibly easy or incredibly available to find vulnerabilities within various computer systems. Um, it's already discovered thousands of zero days across major OS and web browsers to include bugs that are 17 to 27 years old and were never caught by humans. So they've it's finding these areas, and we've heard little tidbits about that in the news. Now, the interesting part in all this is that they're holding back on mythos right now at this moment. And this is the first time since uh GPT-2 came out in 2019 where a company is actually holding back on the release of a model. Now, they had a project called Project Glasswing, and this is set up for Amazon, Apple, Cisco, many others that are involved in this. Um, they're designed to have them walk through Mythos themselves and see how this is going to impact their organizations. Now, Anthropic has also committed$100 million in usage credits to help those partners to harden their defenses before they actually release Mythos out. Now, there hasn't been a public release date for Mythos. Um, so it's gonna be interesting and what's how this is all going to play out. Uh it now, I I'll be just totally blunt. I did not understand how spectacular this could be for hackers. Uh one of the pieces is that it can autonomously can put together three to four different vulnerabilities. It can put these things together, it can create an exploit, and it can launch that without any human intervention. Yeah, that's pretty scary, um, honestly. We the one thing that we did is it took forever to do an exploit. And if you found an exploit, it was like manipulating all these little nuances to maybe make that happen. Now you have the ability for this exploit to be created by a robot without any human interaction. So if you are a cybersecurity hacker and you are a gun for hire, you are just in a situation where you could make a lot of money. And this is not good. So, why is this also not good? Well, most companies have SIMs and they have EDR tools that are in place, right? So you have your SIM as your main brain, you have your EDR tools, the endpoints, all of these things working in hand in hand to thwart the attackers that are coming in. Well, now what's gonna happen is these are designed on human behavior patterns. They're not designed on AI behavior patterns. AI behavior patterns are click, it's done. Humans are like click, let me think about it, get a cup of coffee, click, right? It's very different, very, very different. So, what's going to happen with this? Well, I'll be blunt. The cybersecurity companies are gonna have to make some serious changes with this. They're gonna have to decide on how their equipment is going to properly manage this AI threat and how they're going to work with it. And there's this is there's a lot of different nuances to it. Now, the attackers are gonna be able to do custom exploits, they're gonna have autonomous uh attack generator agents that can do this, they're gonna have highly personalized spear phishing, all of these things are going to be in play now. So, what's what has this done? Now, I will tell you right now, when I saw the news article related to the Treasury Secretary getting with some of the Fed chairs and some of the CEOs of the big banks, I knew we had a problem. They don't normally do this, especially to talk about something related to IT. So, this is being treated right now by these folks as a near-term systematic financial and national security threat. This is not hypothetical. So what do we do in this situation, right? So the bottom line is this you need to deploy zero trust architecture. Two, you need to consider how you are going to use AI in the defense of your company. I'm I'll be very honest, that's that's a bit scary, right? So you're gonna deploy something that could be used in a way that could be used to protect your company, but you're relying on how, okay? That's that you everybody knows that nuance. You're relying on how to protect your company and the world as we see it. So um, yeah, I would probably recommend getting maybe some of those uh free MREs or those how to have cans of food that are gonna last 2,000 years in your basement, uh, because you know, hey, the end of the world could be occurring, could be seeing Jesus. We don't know. A lot of different things could happen here soon. Or it could be like Y2K and nothing really comes of it. So you just never really know. The point of it is that I'd say in the next 12 to 18 months, some drastic changes are gonna need to occur within your organization. You're gonna need to really migrate towards a zero trust architecture. You're gonna really have to ensure that your anything externally facing is tied down tight, and you're going to then just kind of hang on and see what's going to happen. Uh, cybersecurity professionals, you are going to be looked at as a key person or persons within your organization to help protect your organization and its and its assets. So you, as a cybersecurity professional, need to get smart on all of this stuff and then come back with some recommendations to protect the company. You are gonna be part of the business discussions. You need if you're not, you need to inject yourself in there because you you're gonna be whether they like it or not. So a great thing, again, though, you better get smart on it, you better understand it, and plan to do some studying over the next couple months to get smart on how this is going to all play out. So, again, not trying to be doom and gloom, but yeah, a little bit of doom and gloom. Let's just get ready to ride this little pony and see where it takes us. Okay, let's get talk into what we're gonna talk about today. Okay, so this is part of domain one, 1.10, understanding applying risk management concepts. This is part of the ISC Squared CISSP exam prep that we have at CISSP Cyber Training. Head on over there and check it out. Got some great things that are there that are free and available to you, as well as some more tailored, nuanced areas that can help you with your CISSP training. Got some interesting announcements coming soon. Stay tuned. It's gonna be great. I think you're all gonna enjoy it, and it's gonna be a great option for you. Again, CISSP Cyber Training, lots of great stuff. Go check it out. It's awesome, right? CISSP Cybertraining.com. Okay, so domain one, 1.10, understanding and applying risk management concepts and how does this work? So managing risk, it's an important part of any network. And as we just talked about with Ananthropic and how it does its business, right? That's a risk that you're gonna have to worry about for your network. Now, you cannot protect the organization from everything, and you're gonna have to go into this with the attitude that, you know, we're gonna do our best to protect the organization, but some things just may get pwned. They just may, and you're gonna have to come up with a solution on how to deal with that. You need to determine an acceptable level of risk for your organization. Now, I'm saying you. It's not you, it's it's you with some people. You're gonna have to be with the business leaders of your organization to determine the level of risk that is important to them and you. Because this isn't something that the geek in the corner is gonna come up with. And I'm just being very transparent. I've had people come to me saying, What's our risk? I'm like, I have no idea how your business runs. So if I don't know how your business runs, you're the best person to tell risk. So this is a joint working effort between the two of us to come up with and determine what is the acceptable level of risk for you and your company. It's not all computer based. Now, this isn't something that you're going to go and say, well, let's put this into some formulas in our Excel spreadsheet and see what it comes up with. That that's a great way to get started, but that is not what's going to tell you exactly what is your level of risk. Now, there's a book I'm gonna recommend that's actually really good on how to measure risk, but in reality, you're gonna have to use that, but you're also gonna be doing a little bit of the thumb in the wind based on your knowledge and your expertise. Now, the risk terminology, I'm not gonna get into all of it because it can be very vast and quite complex. And you but you need to focus on the basics, especially for the CISSP exam. Do not get wrapped up into the weeds too much, right? You're gonna have to know some of the weed stuff, but not too much. And just look at this from a bigger picture. The understanding of the concepts, the formulas, but know the bigger picture when you're analyzing and not dealing with risk. Okay, so so here are some key terms that we're gonna go over. Now, these are not all the terms, but there's some that you can, as you start listening and you start seeing some of these CISSP exams, especially from some of the CISSP practice tests that I have out there, some of the practice exams that I have out there, you're gonna want to understand some of these key terms. One is asset. This is anything within your organization to be protected. That is an asset. Asset valuation, obviously it's a dollar value assigned to that specific asset. Threats, these are potentially that are uh occurrences against the asset, right? So this is something that could be attacking it. And if whether it's a zero day, whether it's somebody doing something to it, it could also be a threat that you have a stray backhoe that takes out your overall organization's network. Vulnerability, weakness with the asset. Exposure, this is assets that are being exposed to the threat. That's your overall exposure. Risk, this is the possibility or likelihood that a threat is exploding the weakness. So again, the risk is is somebody actually attacking it? Could somebody actually attack it? Safeguards, these are the countermeasures that you are putting in place. When I was flying airplanes, countermeasures we had was electronic jamming, flares, chaff, all of those things were countermeasures against missiles trying to come after us. Attack, this is exploding the vulnerability, and then breach. This is a security mechanism that has been bypassed. Now, I will tell you that some of these terms can be a little squishy, squeesy. The reason is is breach, right? So breach is one of those terms that many people, I try to stay away from. I say that if it's probably the system mechanism has been compromised. But the reason I say breach, breach can be looked at in various reporting consequences and different connotations. So I would use that word a little bit lighter than I would use something else. Again, my personal opinion, you are gonna have to decide what's best for you and your company. Now, there's various types of security control categories. We have technical, administrative, and physical. Your technical is your hardware, your software, all these that are put in place to manage the access and the different types of controls. So you may put in a software that's set up to manage these aspects. That would be a technical control. Your administrative access or administrative controls are your policies, procedures, processes, all of these that are defined within your organization to understand and to basically put these aspects in to protect your company's plan. So if you have an acceptable use policy, that would be a control that would be put in place. You have a security and awareness policy that would be used to help educate people on security awareness training. All of these are administrative pieces. You then have the physical barriers. These are the barriers to control access. Do you have man traps in place to get access into the building? Do you have CAT cards or ID cards to access you onto the system? Do you have a sort of biometrics aspects to limit the access to people into getting access to a computer? All of those are your technical, administrative, and physical types of controls that are in place. Now, again, these are just a basic generality, but you kind of get the concept of what we're bringing forward here. So identifying threats and vulnerabilities, here's some key concepts around this. You need to understand the core concepts of risk management. And the key piece of this is understanding the threats and vulnerabilities to your organization. So as an example, if you are a I was a chemical manufacturing business, that's what I was a CISO for. Was I concerned about financial threats against my company? Yes and no. The financial risk was more of BECs, you know, business email compromises, or people trying to fund or wire money to unknown people. Those are more of the financial aspects. However, some of the financial aspects that hit the big companies, such as the MT banks, the Chase Manhattan's, the JP Morgan's, all of these are a different threat to than to my chemical manufacturing company. Now, are they just as valid? Oh yes, most definitely. But am I as concerned with something that is targeting banks against targeting my manufacturing and chemical facilities? Not so much. I need to be aware of them, but not necessarily be as concerned about them. If I know, though, that some groups are focused specifically on intellectual property stealing, then that would be some that would be more of a threat to me and my organization. Also, understanding the vulnerabilities within my company. Do I have a front-facing websites that are vulnerable potentially? Or in the case of chemical manufacturing, I really don't have much for that. So my more bigger concern is the process control environment. So again, these are key concepts you need to understand between threats and vulnerabilities. Now, a threat is a natural or man-made situation that can have adverse impact on an asset. Against somebody that's coming after you, or you could have the stray backhoe that takes out your fiber line, or you could have a tornado that comes in and levels all the buildings. All of those aspects could be a threat. And in the case of what happened at Oracle's and Amazon's data centers in Dubai, you got missiles. So that's a threat. The vulnerability is the absence or weakness of a safeguard to an asset potentially making it more likely to occur. Yes, so if you don't have missiles to shoot down other missiles, then you have a vulnerability, right? That would be bad. But if you have some way to protect yourself, you know, you have the Dome of Power or the, I think it's a David Sling or any of those that are available to protect you from incoming missiles, well, then that's a positive thing. Now, does that mean it's gonna stop all the missiles coming in? No, it does not. They're still gonna get through a few through, and we know that that occurred. But bottom line is that's the vulnerability. That's the absence of a weakness of a safeguard to an asset, potentially making it more likely to occur. Now, risk assessments and analysis. I'm gonna get into some different types of risk here and let's kind of go through some of those. So now risk assessments, these are designed to evaluate risk based on a threat. So we're gonna talk about quantitative and qualitative. So quantitative risk analysis, this assigns a real dollar value to figures to the loss of an asset. So this is when it comes right down to as you go, all right, quantitative, it's a quantity, it's a number. So if you have a hard time remembering it, just think of quantity. Quantity number. Qualitative is you're putting some sort of subjective and tangible values to it, but it's more of a qualified review of it. So think of it that kind of that way. So quantitative risk analysis, when you're dealing with real dollars, there's some key terms that help you come to understanding what are these real dollars. So there's a formula that you're gonna be talking through, you'll be seeing on the CISSP exam, uh, and it's gonna be dealing with SLEs and AROs. So your asset value AV, that's your overall, that's the AV, that's your asset value of what you have. Is it a million dollars, two million dollars,$10, whatever that value is? This is what you've assigned to it. Your exposure factor, this is something I you feel that you're exposed to this. It usually typically in a percentage aspects, and it's single, what you're dealing with is is it once every five years, is it once every 10 years? Depends upon how this is going to happen. Your single loss expectancy, SLE, is your asset value times your exposure factor. Now you're gonna focus also on the annualized rate of occurrence. I know I'm getting into this, you're going, oh my gosh, I'm gonna fall asleep. Yeah, you will. I'm I'm unfortunate. So if you're driving into work, please just go through, put me on Chipmunk voice to make sure that you can actually hear what I'm saying. But analyze rate of occurrence, this is your ARO, and this is something you're gonna have to determine how often does this occur. Then your analyzed law annualized loss expectancy, your ALE, this is where you get your SLE, your single loss expectancy times your ARO, your annual rate of occurrence. So all of those are the different pieces that are gonna come into your annualized loss expectancy. Now to figure out total risk, you're going to figure out threats times vulnerabilities times asset value. And then your residual risk is gonna be equaling your total risk minus your control gap. And then there's formulas that go through all of this, but I'm saying this very quickly because I know the fact is that you're gonna need to study this for the CISSP exam. Focus on these key things. I would actually recommend you go out, go to Claude and say, hey, help me understand asset value, exposure factor, all of those pieces and have it walk you through it. You can also reach out to me at CISSP Cyber Training, and I can we can go through some of these values as well. And that the point of it comes into is you need to understand each of these pieces. Now, what I want to come back to from living this life as a former CISO and kind of going through risk myself, you're going, these are all subjective aspects. You are going to have to come up with a plan, quantify the values that you're coming up with. You're gonna want to bounce these values off of your business leaders. Again, you cannot build this in a vacuum. You are a cyber guy or gal. That's your position. That does not make you the expert on all these things. Now, you may be, I mean, I'm there's probably a unicorn out there that is the expert, but in most cases, you are not the expert on all these areas. So you need to pull in business resources to help you really truly dial in what is your overall risk. Do not make assumptions without having counsel from somebody outside of yourself. I'm trying to beat that drum because the point of it is so often people go and I say, Well, this is what it is, this is what it is. Great, I got this great number. Well, that number might be off by plus or minus 50 to 75%. So then it's really not a good number, it's more of a junk number. Uh it may give you directionally in the right direction, but it's not as useful as you would like it to be. Qualitative risk analysis, this assigns subjective and intangible values to it. So it's not nearly as precise. Now I want to avoid precision. You really truly want to avoid precision. So, as an example, let's say in the quantitative side, you say we will have an annual loss expectancy of$1.2675 million per year based on the recurrence of each of these situations. That's too precise, way too precise. And I guarantee you are wrong because it's not anywhere close to that. So you need to be in a situation where don't try to be uh so precise that you are actually missing the forest you're looking because you're focused on a tree. So again, just focus on how to make this look directionally correct and make sure that it has the sniff test that it makes actual sense. Quantitative risk analysis is more commonly used just because of the fact that it's a number and people can glob onto a number and it's not nearly as subjective as the qualitative. But there is actually time and place for qualitative. There's a book out there, How to Measure Anything in Cybersecurity. I need to kind of actually do a podcast on some of those. I got some. Really good things in there on how to measure metrics related to cybersecurity. So something just to put in your uh library is that book. There's a guy, I think he's got a new edition out now. Uh the one I got was back in 2016, uh, so which was really, really good. But it was very helpful. I've got I go to that every once in a while. So risk response. So some key concepts around this. This involves evaluating countermeasures and safeguards and security controls. You need to utilize a cost-benefit analysis, CBA, and adjust your findings based on various other conditions. This is again, this other conditions are you going out and talking to other people. If you have incidents that occur, taking the findings from incidents, using those numbers as something a little bit more granular that you can then make towards your process to understand what are the gaps that you have. These all depend on companies' risk appetite and or tolerance. Again, do not make assumptions in this space. I repeat, do not make assumptions in risk appetite or tolerance. They're very different. And you also need to talk to the right person. So if you talk to the CEO and you talk to maybe the COO and the CIO, that's a lot of C's, they all may have a different idea, but you need to get them all together saying, is this what you all believe? Your risk at appetite, this is the total amount of risk an organization is willing to accept across all assets. Risk capacity is the amount of risk an organization is willing to bear. So your company may be willing to accept more risk than you can take on, such as financial assets. Let's just say, for an example, I used to work for Coke Industries. Coke Industries, amazing, monster company, billions in assets, billion-dollar company, you know, super rich people. Very nice people, but super rich. So the thing is, though, is they self-insured. Why? Well, because they didn't want to want to go to a spend money on an insurance company to cover their assets. They kept enough money in the bank to self-insure. I would love to be there. I really truly would. It'd be awesome to be self-insured, but that's for the very few people that are at the top of the pinnacle. But that your company may have to determine that. Now there might be times, I'm saying that, there might be times though, when as a company, even though you have the ability to be self-insured, you actually have to take on insurance, normal insurance, because it might be mandated based on the contract that you have. They may not allow self-insurance. They may say, no, you're gonna have an insurance policy in place because we don't trust you. I don't know. There might be a reason why, but they they do that. Risk tolerance is the amount of risk an organization will accept per individual asset, such as a manufacturing line that needs to be operational and cannot go down or the machinery breaks. So this is a risk that you'll accept per specific device. So if I sort of an example, I've got a in the manufacturing space, you have a motor that's running all the time. You will not turn that soccer off. You're not. You'll have one in spare. Now, when the system goes down for routine maintenance and another one's up a line running, then you'll swap them out. So you need to understand what is your risk tolerance. That piece of equipment cannot go down ever. Or if it does, that's bad juju. So you're just gonna have to figure out what is best for you and your company. And these are key terms that you're gonna want to discuss and listen for when you are chatting with your senior leaders. Now there's various risk responses that to risks that can occur, and we're gonna kind of walk through each of these. One, risk mitigation or reduction. This is the implementation of safeguards, controls, or countermeasures to reduce and or eliminate vulnerabilities or threats. The alignment or transfer, this is placing the responsibility of the loss onto another entity. Deterrence, this is implementing deterrence to stop inappropriate activities andor convincing them not to attack you. Okay, I'm gonna have lots of weapons, so if you attack me, I will attack you back, right? That's deterrence. Avoidance, this is selecting alternative approaches, options, and or have less associated risk. Back to deterrence. The Maginot line. That was not deterrence, especially when you can fly over it and drop people behind it. Yeah, sorry. That was a way to digress, but if they thought it was a great deterrent thing, the Maginot line, yeah, Google it or clot it, or whatever you want to do with it if you don't know what that is. Acceptance. This is a result of CBA, and this is your cost-benefit analysis, and shows countermeasure costs that outweigh possible cost of loss. Reject or ignore, this is really unacceptable to ignore or eject risk, but it is a potential option. I would say there is times when you would ignore that risk, um, but I I don't actually I don't really can't think of one. I'm sure someone could ignore it. All I can tell you is that if you better document why you ignored it and have good reasoning behind it, because if you just ignored it, um there there could be a situation where it comes back to bite you. Yeah, so it's it's not a good idea. So on exam note, the 2024 exam outlines explicitly calls out cybersecurity insurance is an example of risk response and treatment. Risk cybersecurity insurance is becoming a mandatory thing, especially in the financial industry. You have to have some level of cyber insurance. So the 20, I fully expect that when they make these updates to the exam this year in 25 or 26, that it's still going to maintain be the same, if not more emphasis will be put on cybersecurity insurance, just because of the fact that it's a great way for you to transfer risk to your company, or I should say transfer risk from your company. Countermeasures and different security controls. So the cost of a countermeasure needs to be less than the cost of an asset. So if your asset costs a million dollars and your countermeasure costs$1.5 million, what is that really worth it? You just gotta kind of ask it. Now, maybe there is a situation, maybe that is that$1.5 million protects it completely, and now that$1 million asset can just be making money hand over fist for the next 30 years. Okay, well then maybe that's worth it. You're just gonna have, but most cases the cost of the countermeasure must be less than the cost of the asset. Countermeasures should be tamper proof, which means the anthropics or any of these people cannot touch them. It doesn't make any sort of changes to it. They have to be tamper proof. They should be testable and verifiable. You should be able to test this, make sure that your countermeasure that you've put in is testable and you can actually verify that. Provide consistent and uniform protection across the landscape. You provide fail-safe and fail-secure options. So a fail-safe option or a fail fail secure in a more of a tight format. So again, you need to understand the different security controls and what is best for you and your company. But these are some key ideas and concepts you need to go through in your mind as you're deploying some sort of countermeasures. You have different types of controls and achieving complete control so that they can be done through various means. So you have preventative, this is designed to reduce the risk through prevention. Detective, this is reduction in risk through identifying violations or incidents, different vulnerabilities, you're defining that, you're detecting it. Corrective is that you're mediating the violations and incidents while improving the preventative and detective controls. So again, that you're finding an issue, you're dealing with it, you're addressing it, and then you're implementing different changes to help make it even better. Deterrent, this is creating created to discourage violations. So do you have a deterrent in place? I'm doing monitoring, maybe data loss prevention monitoring, and I've got flags that pop up when people do things they shouldn't do. Recovering, this is for restoring systems and the associated information, and then compensating, this providing alternate ways of achieving various tasks. So these are the different types of controls that you can have in place. Compensating controls is a one that people use a lot. And this is the one that provides alternate ways for achieving your tasks that you want to accomplish. But there all of these are different types of controls you can determine that can put in place within your company to ensure that you are in a better cybersecurity posture. Now, this is something as a security professional you are gonna do a lot of in the future. And these are security control assessments. Sometimes they get mislabeled as audits. You may say I'm gonna do an audit internally. A lot of times people say the audit word because it carries a little bit more oomph behind it, but realistically, it's a it's an assessment. So a security control assessment is something you will do, and it's an evaluation of security infrastructure that's designed to determine what it can protect and what it cannot. So examples of this would be penetration tests, security assessments. It could be a security assessment both from a paper-driven security assessment, and it could be a technical or somebody using some sort of equipment to determine a security assessment as well. This can this may confirm that the security mechanism is acceptable or needs additional controls. These are good ways to help you understand do you have what you need in place? The the physic or the paper-driven ones are good to say, checkbox, yep, got it, got it. Ooh, I'm a gap, I got there. Let me let me look at that. The ones when you're doing pen tests where you actually have your systems in place and people are actually trying to ping it, those are even better in the fact that they will look at that point in time and your security controls. But realistically, the both of them work hand in hand. Assessment should consider if the control affects privacy. Some controls may increase privacies, while others may actually cause a privacy challenge, right? Event. I'd like to also avoid, we talked about terms of breach. Another one I like to avoid is incident. Security control assessments are typically implemented by US federal agencies using the NIST SP 853. Now that I say that that when you're dealing with CMMC and you're dealing with various aspects related to the overall understanding of regulations behind it, they will typically implement those kinds of security assessments. But you can use that as your own security assessment within your company as well. Monitoring and measurement. So controls should be able to be monitored and measured, and they must be able to quantify and measure what you're specifically looking for. This is not a perfect science, but finding areas to measure is an important part. Administrative accounts are a good example. Do you have admin accounts? Do you have local admin? Do you have network and super admin? What kind of accounts do you have in place? All very important pieces to this plan. You just need to kind of consider how you want to measure and what you want to monitor. Now, reporting, risk visibility and reporting techniques are in place to ensure risk management processes are clearly defined. A core tool in maintaining ongoing visibility into risks are a risk register. So, what are you probably asking? What is a risk register? Now, this is a centralized document. Many times you can have a document, a spreadsheet, which I've used many years, or you could actually have a piece of software that you're using this for. This tracks information about various natures, the status of each specific risk you may have within your company. It may be used on an organizational-wide basis. It can contract individual risks for single project or for a subject domain. It is a great place you keep everything in here on different risks within your company. I will tell you though, it's an important thing for you to keep protected because when you put stuff in here as a risk register, you're basically highlighting to the world you have a problem in X, Y, and Z. And if a bad person decides to get that, they could make your life very painful because of what have you provided them. Now, again, that's something you're gonna have to consider when you put stuff down on paper. But most large organizations, most and most organizations that have some sort of cyber component to them, will need a risk register of some form or format. It's also known as a risk log and will vary by business and organization. So, like I say, if you're in the financial industry, a lot of times they have a software divine solution. You might be in a situation where you just have a spreadsheet and everything is just loaded on a spreadsheet, and you go back and you monitor that on a routine basis. I looked at our risk risk register probably about once a quarter and then added new systems to it as each of the quarters went by and as new systems were being put online. Continuous improvement. All right, so we're getting close to getting through this. This is a long one, right? So risk assessments need to be accomplished on very on a continuous basis, which leads to continuous improvement. Security tools and providers need to provide new technologies which lead to some sort of continuous improvement and getting systems up. We talk with about all the aspects that are coming with AI. These systems are gonna have to improve on a routine basis. This should be objective with all the different various security programs you have within your company. There should be risk maturity models. These risk models provide a structured way to assess how well your organization manages risk. So your company is gonna have to assess yourself based on these various maturity models. And we're gonna get into a couple of those here in just a little bit. This is also not just whether the controls exist, but how repeatable, measurable, and optimized these risk controls are. This is how you're gonna get, if you're in the financial industry, you're gonna get audited based on this information. And they're going to want to see what you have done to ensure that you've got these areas covered. So one of the most referenced models within the CISSP are CMMI, which is your capability maturity model integration. There's various levels with this. There's actually five. There's initial, managed, defined, quantitative managed, and then optimized. Now, though most organizations will go for the level three, which is your define. Now, when you start getting the quantitatively managed, that's where you got a lot of metrics. And then optimized means you're hitting on all cylinders. Most companies don't get there. Now, I would say you'd want to strive to get into the quantitative managed. Against everything you have, I would say that might be a bit of a challenge, but against some key systems, you really truly want to have some level of metrics so you understand what you're actually doing. You have RSAM and RMN, it's your risk maturity model. This is a similar tiered approach as CMMI, but it's focused on risk management practices. And then you have ISO 31000. This provides principles and guidelines for risk management that organizations can mature to over time. So when you're dealing with the exam, right, maturity, maturity modeling answers how good are we at managing risk, not just what our what are our risks. So that's when you're dealing with maturity modeling. Are we better for because of it? Or how much better are we because of it? Or what are we putting in place that is affecting us? Not just, hey, I've got a missile heading my way. What are your risks? No, you have to understand what have we put in place to make us better. So if they're asking you questions around maturity modeling, that's what they're gonna be wanna be focused on. How good are we at how good are we at managing our risk? So some different risk frameworks. And I'm just gonna kind of go over this. If you look at the video that I have that comes goes with this, uh you'll be able to see these. But you got NIST 837, this is the risk management framework. There's guidelines to assess risk, determine resolution, and how they're monitored. You have ISO 27005, this is an international standard focused on information security risk management. Uh, it is you need to know really that the ISO 27005 is a risk-specific companion to ISO 27001. So keep that in mind. If the 27001 is out there, the risk-specific companion is 27,005. I know there's a lot of stuff for you to keep in mind here, but these are all key factors. Remember, you're getting your master's degree in cybersecurity when you get your CISSP. COBIT, this is your control objectives for information and related technology. This is developed by Isaka and it focuses on IT governance and management. Now keep in mind, COBIT is a governance first thought process. Risk management supports business alignment, not the other way around. Okay, so your risk management supports your business, not the business supports risk. So keep that in understanding it. It is a governance first thought process. Sabasa, this is your sure word, applied business security architecture. This is an enterprise security architecture framework driven by specifically business risk. Now, the SABASA is a framework when the question involves architecture and business-driven risk decisions, that would be SABASA. So again, architecture and business driven architecture. Keep in mind, not just business-driven architecture. That is when you're focused on BASA. This is where the risk is based into every layer of your architectural model. So not just one risk overflowing, or I should say, over all your aspects. It is actually a risk that's based into each part of your architecture. PCI DSS, this is your payment card industry data security standard. This is typically a lot in the financial industry when you're dealing with credit cards. Now, the PCI is a compliance-driven risk management. It's known as a contractual industry standard, not a government mandate. If you understand PCI, the focus is that this is on the credit card companies are forcing people to deploy different types of security mechanisms because they are using your credit card. If you choose not to follow this, you will lose access to the credit cards. So that's it's based on the industry putting a standard out there for you to follow. Now that the requirements on this are embedded within his 12 core requirements that are tied into PCI DSS. And then the last one I put out there, this one probably isn't necessarily on the exam, but it's someone for you to be aware of, is the Cyber Risk Institute Profile. This is a financial sector extension of NIST, a cybersecurity framework, and is used by banks and financial institutions to meet FFIEC, OCC, and Federal Reserve expectations. I like it a lot. I think it's a really good risk framework that works really well with the banking industry and the financial institutions. So I would look at it, consider it. You probably not something you'll see on the exam, but something you should have in the back of your mind if you are in that space. Okay, so that's all I have for you today. All right, we went through a lot of stuff today. There's a lot of information here, but I hope you got a lot out of this. This is an important part of your CISSP journey. Head on over to CISSP Cyber Training. Check it out. There's a lot of great stuff at CISSP Cyber Training for you to help you with your overall CISSP journey and you're getting that certification done. But on the flip side, it's also the CISSP Cyber Training is a great place for you to maintain your CPE credits once you get your CISSP exam. Because we all know getting the CISSP credits is a challenge to keep those. I have a bunch I have to fill out myself. So you need to get that done. But again, great place to go, CISSP Cyber Training. Thanks again for coming with me today on this trip, and I hope you have a wonderful day, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.