Study CompTIA SY0-701 Risk: key concepts, common traps, and exam decision cues.
Risk questions on Security+ are about structured decision-making, not fear. The exam wants you to identify risk, analyze it, communicate it, and choose a treatment that fits the organization’s appetite and constraints. Good answers usually sound balanced and accountable, not absolute.
BIA: Business impact analysis, a process for identifying which services matter most and how much outage or data loss the organization can tolerate.
ALE: Annualized loss expectancy, an estimate of yearly loss used to compare risk impact against control cost.
ARO: Annualized rate of occurrence, the estimated frequency of a risk event over a year.
Security+ is usually testing whether you can:
| Term | Meaning |
|---|---|
| Risk appetite | overall willingness to accept risk |
| Risk tolerance | acceptable variation around a specific objective or threshold |
| Risk register | tracked record of identified risks, status, owners, and treatments |
| Risk treatment | accept, avoid, transfer, or mitigate |
| BIA | identifies critical services, dependencies, and recovery expectations |
1risk_id,description,owner,likelihood,impact,treatment,status
2R-017,Public admin portal lacks MFA,identity-team,medium,high,mitigate,in-progress
3R-022,Single ISP link for payment service,network-team,low,high,transfer_or_mitigate,open
4R-031,Legacy file server cannot be patched this quarter,it-ops,medium,medium,accept_with_compensating_controls,accepted
What to notice:
Security+ may still use:
\[ \text{SLE} = \text{AV} \times \text{EF}, \quad \text{ALE} = \text{SLE} \times \text{ARO} \]
| Symbol | Meaning | Why it matters |
|---|---|---|
AV |
Asset value | Establishes what is being put at risk |
EF |
Exposure factor | Shows how much of that value one event could damage |
SLE |
Single loss expectancy | Quantifies the loss from one successful incident |
ARO |
Annualized rate of occurrence | Estimates how often the event happens in a year |
ALE |
Annualized loss expectancy | Converts one-event loss into yearly expected loss |
You do not need advanced finance math. You do need to understand that organizations use structured inputs to compare risk and justify control spending.
| Situation | Strongest treatment lens |
|---|---|
| Activity is too dangerous to continue in current form | Avoid |
| Insurance or contractual transfer is realistic | Transfer |
| Control can reduce likelihood or impact to an acceptable level | Mitigate |
| Risk is understood and tolerated within governance boundaries | Accept |
The BIA matters because it turns vague concern into operational priorities:
| BIA output | What it answers |
|---|---|
RTO |
How quickly service must be restored |
RPO |
How much data loss is acceptable |
| Criticality ranking | Which systems recover first |
| Dependency map | Which supporting services block recovery |
That is why Security+ sometimes ties risk and continuity together in the same question.
A company relies on one aging internet link for its online ordering platform. A second provider is available but expensive. Leadership decides the current outage risk is unacceptable because lost sales during downtime materially harm the business. Which response best fits?
A. Accept the risk because all outages are unavoidable
B. Avoid the risk by shutting down online ordering permanently
C. Mitigate the risk by adding redundant connectivity aligned to the business impact shown in the BIA
D. Remove the risk from the register because leadership already discussed it
Best answer: C. The BIA shows the business impact is real, and redundant connectivity is a mitigation that directly reduces availability risk.
Risk questions usually depend on whether you are identifying, prioritizing, or treating risk. First, ask what business function or exposure matters. Second, identify ownership and impact through tools like the risk register or BIA. Third, choose treatment deliberately: accept, avoid, mitigate, or transfer. Security+ usually rewards explicit treatment logic over vague “reduce risk” language.
Continue with 5.3 Third-Party Risk to connect internal risk choices to vendor and supply-chain dependencies.