Cyber Revision: free cybersecurity revision and hands-on practice

How organisations identify, assess and treat risk: the vocabulary, the methods, and the business continuity terms behind every security decision.

Security is risk management

Every control costs money, time or convenience, and no organisation can defend against everything. Risk management is the discipline of deciding which risks to spend on, making security a business decision rather than a technical wish list. This framing sits underneath the whole field: you protect what matters most, against the threats most likely to hit it, to a level proportionate to the impact.

The vocabulary

Building on the fundamentals chapter:

Asset: something of value worth protecting (data, systems, people, reputation).
Vulnerability: a weakness in an asset.
Threat: something that could exploit a vulnerability. The actor is a threat agent/actor.
Risk: the likelihood of a threat exploiting a vulnerability, combined with the impact if it does. The standard shorthand: Risk = Likelihood × Impact.
Inherent risk is the risk before any controls; Residual risk is the risk that remains after controls are applied. You can rarely reach zero; residual risk is what's accepted.

Assessing risk

Two complementary approaches:

Qualitative: rate likelihood and impact on descriptive scales (Low/Medium/High) and plot them on a risk matrix. Fast, intuitive, and the common choice; the downside is subjectivity.

Quantitative: put money on it. The classic formulae:

SLE (Single Loss Expectancy) = Asset Value × EF (Exposure Factor): the cost of one occurrence.
ALE (Annualised Loss Expectancy) = SLE × ARO (Annualised Rate of Occurrence): the expected yearly cost.

ALE is the key one for cost-justifying a control: if a risk's ALE is £100,000 and a £20,000 control reduces it substantially, the control pays for itself. Quantitative analysis is rigorous but needs reliable numbers that are often hard to get, so real assessments frequently blend both.

Worked example: a server worth £50,000 faces a flood that would destroy 40% of its value (EF 0.4), expected once every 10 years (ARO 0.1). SLE = £50,000 × 0.4 = £20,000. ALE = £20,000 × 0.1 = £2,000/year. A flood mitigation costing £500/year is clearly worthwhile; one costing £5,000/year is not.

Treating risk

Once a risk is assessed, there are four recognised responses (sometimes "the four T's"):

Response	Also called	What it means	Example
Mitigate	Reduce / Treat	Apply controls to lower likelihood or impact	Patch the server, add MFA
Transfer	Share	Shift the financial impact to a third party	Cyber insurance; outsourcing
Avoid	Terminate	Stop the activity causing the risk	Don't store the data at all
Accept	Tolerate	Acknowledge and consciously live with it	Low-impact risk cheaper to bear than fix

Two points exams probe: transfer doesn't remove the risk (insurance pays out but your data is still breached and your reputation still hit), and acceptance must be a documented, informed decision by someone with authority, not a shrug. Note also that you can't transfer accountability: regulators hold the data controller responsible even if processing was outsourced.

Frameworks that structure the work

Organisations don't invent risk processes from scratch; they adopt frameworks:

NIST Cybersecurity Framework (CSF) 2.0: covered in detail next chapter; organises cyber risk management around six Functions.
ISO/IEC 27005: guidance specifically for information security risk management.
NIST SP 800-30 / 800-37 (RMF): US federal risk assessment and Risk Management Framework.

The common shape across all of them: identify assets and risks → assess → decide treatment → implement controls → monitor and review continuously, because risk is never static; new threats, new systems and new vulnerabilities appear constantly.

Business continuity and disaster recovery

When prevention fails, the question becomes how fast can we recover? Two related disciplines:

Business Continuity Planning (BCP): keeping the whole organisation operating through a disruption (including non-IT: premises, staff, suppliers).
Disaster Recovery (DR): the IT-specific subset, restoring systems and data after an incident.

A Business Impact Analysis (BIA) identifies critical processes and the cost of their disruption, which sets two key targets:

RTO (Recovery Time Objective): the maximum tolerable downtime before unacceptable harm. "We must be back within 4 hours."
RPO (Recovery Point Objective): the maximum tolerable data loss, expressed as time. "We can lose at most 1 hour of data" → back up at least hourly.

RTO drives your recovery speed (failover systems, hot/warm/cold sites); RPO drives your backup frequency. They're independent, frequently confused, and a reliable exam question. Backups themselves should follow the 3-2-1 rule: three copies, on two different media, with one off-site (and increasingly one offline/immutable, because ransomware deliberately seeks out and encrypts reachable backups).

Quick recall

Security is risk management: spend proportionately on what matters. Risk = Likelihood × Impact; residual risk is what remains after controls.
Assess qualitatively (risk matrix) or quantitatively (SLE = AV × EF; ALE = SLE × ARO; use ALE to justify control spend).
Treat by Mitigate, Transfer, Avoid or Accept. Transfer (insurance) doesn't remove the risk or the accountability; acceptance must be documented.
BCP keeps the business running; DR restores IT. A BIA sets RTO (max downtime → recovery speed) and RPO (max data loss → backup frequency).
Backups: 3-2-1, plus offline/immutable against ransomware.