Information Technology / CompTIA Security+ (SY0-601): Risk Assessments

CompTIA Security+ (SY0-601): Risk Assessments

Information Technology17 CardsCreated 9 months ago

This section highlights key strategies in managing risk, such as transferring, accepting, and assessing residual risk. It also explains the difference between qualitative (experience-based) and quantitative (number-driven) risk analysis approaches used to evaluate and address potential threats.

Report

Risk Transfer

A strategy that passes the risk to a third party

Rate to track your progress ✦

Tap to flipTap or swipe ↕ to flip

Space↑↓

←→Swipe ←→Navigate

SSpeak

FFocus

1/17

Key Terms

Term

Definition

Risk Transfer

A strategy that passes the risk to a third party

Risk Acceptance

A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized

Residual Risk

The risk remaining after trying to avoid, transfer, or mitigate the risk

Qualitative Risk

Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk

Quantitative Risk

Quantitative analysis uses numerical and monetary values to calculate risk

Quantitative...

SLE

Single Loss Expectancy:

Cost associated with the realization of each individualized thr...

Security Controls: NIST Categories

Management, Operational, & Technical Controls

Management Controls
Security controls that are focused on decision-making and the management of risk

Preventative, Detective, & Corrective Controls

Preventative Controls
Security controls that are installed before an event happens and are designed to prevent someth...

Related Flashcard Decks

Information Technology

Introduction to Database Management and Computer Systems

This deck covers fundamental concepts in database management systems and computer systems, including data models, SQL, and system architecture.

10 cards

View Deck

Information Technology

Java Programming Concepts

This deck covers key concepts in Java programming, including classes, methods, constructors, and object-oriented principles. It includes examples of using classes like Rectangle, Point, Student, and more, with a focus on understanding object creation, method calls, and class interactions.

30 cards

View Deck

Information Technology

DOD Cyber Awareness Challenge 2025 Knowledge check-1 Part 2

This deck covers the key concepts and safety practices from the DOD Cyber Awareness Challenge 2025, focusing on social networking, mobile security, insider threats, and more.

20 cards

View Deck

Information Technology

Controlled Unclassified Information (CUI) Training

This deck covers key concepts and guidelines related to Controlled Unclassified Information (CUI) as outlined in the DoD CUI program.

15 cards

View Deck

Information Technology

Cyber Awareness Challenge 2024 (Knowledge Pre-Check)

This deck covers key concepts and best practices for cyber awareness, including handling classified information, social networking, teleworking, and more.

21 cards

View Deck

Information Technology

Personally Identifiable Information Part 1

This deck covers key concepts related to the management and protection of Personally Identifiable Information (PII), including legal responsibilities, privacy impact assessments, and safeguards.

15 cards

View Deck

Information Technology

DOD Cyber Awareness Challenge 2025 Knowledge Check-1 Part 1

This flashcard deck covers key concepts from the DOD Cyber Awareness Challenge 2025, including best practices for online security, identity protection, and appropriate use of government resources.

20 cards

View Deck

Information Technology

Personally Identifiable Information Part 2

This deck covers key concepts related to the protection and management of Personally Identifiable Information (PII), including common threats, compliance requirements, and safeguarding measures.

15 cards

View Deck

Information Technology

Animation and Games CodeHS Part 5

A set of flashcards covering key concepts from CodeHS Part 5: Animation and Games, including circles, shapes, and event handling.

11 cards

View Deck

CompTIA Security+ (SY0-601): Risk Assessments

Term	Definition
Risk Transfer	A strategy that passes the risk to a third party
Risk Acceptance	A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized
Residual Risk	The risk remaining after trying to avoid, transfer, or mitigate the risk
Qualitative Risk	Qualitative analysis uses intuition, experience, and other methods to assign a relative value to risk Experience is critical in qualitative analysis
Quantitative Risk	Quantitative analysis uses numerical and monetary values to calculate risk Quantitative analysis can calculate a direct cost for each risk
SLE	Single Loss Expectancy: Cost associated with the realization of each individualized threat that occurs
ARO & ALE	Annualized Rate of Occurrence: Number of times per year that a threat is realized Annualized Loss Expectancy: Expected cost of a realized threat over a given year
Security Assessments: Active Assessments	Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilities
Security Assessments: Passive Assessments	Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems Passive techniques are limited in the amount of detail they find
Security Controls	Physical Controls Any security measures that are designed to deter or prevent unauthorized access to sensitive information or the systems that contain it Technical Controls Safeguards and countermeasures used to avoid, detect, counteract, or minimize security risks to our systems and information Administrative Controls Focused on changing the behavior of people instead of removing the actual risk involved
Security Controls: NIST Categories Management, Operational, & Technical Controls	Management Controls Security controls that are focused on decision-making and the management of risk Operational Controls Focused on the things done by people Technical Controls Logical controls that are put into a system to help secure it
Preventative, Detective, & Corrective Controls	Preventative Controls Security controls that are installed before an event happens and are designed to prevent something from occurring Detective Controls Used during the event to find out whether something bad might be happening Corrective Controls Used after an event occurs
Compensating Control	Used whenever you can’t meet the requirement for a normal control Residual risk not covered by a compensating control is an accepted risk
Types of Risks	External Risk Risks that are produced by a non-human source and are beyond human control Internal Risk Risks that are formed within the organization, arise during normal operations, and are often forecastable Legacy Systems An old method, technology, computer system, or application program which includes an outdated computer system still in use Multiparty A risk that refers to the connection of multiple systems or organizations with each bringing their own inherent risks IP Theft Risk associated with business assets and property being stolen from an organization in which economic damage, the loss of a competitive edge, or a slowdown in business growth occurs Software Compliance/Licensing Risk associated with a company not being aware of what software or components are installed within its network
Risk Register	Every project has a plan, but also has risk Identify/document risk associated with each step of project Apply possible solutions & monitor results
Risk Matrix/Heat Map	View results of risk assessment Visually identify risk based on color Combines likelihood of event with potential impact
Risk Appetite	Amount of risk an organization is willing to take

Learning Tools

Writing Tools

Browse Resources

CompTIA Security+ (SY0-601): Risk Assessments

Risk Transfer

Key Terms

Related Flashcard Decks

Company

Explore

Study Tools