Manage Risk for Security+ (SY0-701)

Risk questions on Security+ are about structured decision-making, not fear. The exam wants you to identify risk, analyze it, communicate it, and choose a treatment that fits the organization’s appetite and constraints. Good answers usually sound balanced and accountable, not absolute.

BIA: Business impact analysis, a process for identifying which services matter most and how much outage or data loss the organization can tolerate.

ALE: Annualized loss expectancy, an estimate of yearly loss used to compare risk impact against control cost.

ARO: Annualized rate of occurrence, the estimated frequency of a risk event over a year.

What the exam is really testing

Security+ is usually testing whether you can:

• describe risk in a form leadership can act on
• choose the correct treatment without pretending every risk must be eliminated
• connect business impact, recovery targets, vendors, and control costs into one decision

Core terms

Risk-register example

1risk_id,description,owner,likelihood,impact,treatment,status
2R-017,Public admin portal lacks MFA,identity-team,medium,high,mitigate,in-progress
3R-022,Single ISP link for payment service,network-team,low,high,transfer_or_mitigate,open
4R-031,Legacy file server cannot be patched this quarter,it-ops,medium,medium,accept_with_compensating_controls,accepted

What to notice:

• the register ties the risk to an owner and a treatment decision
• treatment is a deliberate business choice, not just a technical wish
• accepted risk should still be visible and documented

Simple quantitative reminder

Security+ may still use:

\[ \text{SLE} = \text{AV} \times \text{EF}, \quad \text{ALE} = \text{SLE} \times \text{ARO} \]

You do not need advanced finance math. You do need to understand that organizations use structured inputs to compare risk and justify control spending.

Risk-treatment chooser

BIA connection

The BIA matters because it turns vague concern into operational priorities:

• which systems are most critical
• what downtime is acceptable
• how much data loss is acceptable
• which dependencies must recover first

That is why Security+ sometimes ties risk and continuity together in the same question.

What strong answers usually do

• keep the risk visible in a register with an owner and explicit treatment
• choose treatment based on business fit instead of pretending every risk should be mitigated the same way
• use BIA language when downtime, dependencies, or recovery targets shape the decision
• separate documented acceptance from neglect or inaction

Harder scenario question

A company relies on one aging internet link for its online ordering platform. A second provider is available but expensive. Leadership decides the current outage risk is unacceptable because lost sales during downtime materially harm the business. Which response best fits?

A. Accept the risk because all outages are unavoidable
B. Avoid the risk by shutting down online ordering permanently
C. Mitigate the risk by adding redundant connectivity aligned to the business impact shown in the BIA
D. Remove the risk from the register because leadership already discussed it

Best answer: C. The BIA shows the business impact is real, and redundant connectivity is a mitigation that directly reduces availability risk.

Common traps

• confusing appetite with tolerance
• jumping to mitigation when acceptance or transfer may be the stated business choice
• treating BIA as only a disaster-recovery document rather than a risk input
• assuming accepted risk means undocumented risk

Quiz

Continue with 5.3 Third-Party Risk to connect internal risk choices to vendor and supply-chain dependencies.