• Risk: Probability (Likelihood) × Impact; potential for loss/damage to assets
• Likelihood: Probability threat exploits vulnerability (High/Med/Low or percentage)
• Impact: Magnitude of damage (financial, reputational, operational)
• ROSI: Return on Security Investment; (Risk Reduction − Cost) / Cost; justifies security spend
• Inherent Risk: Risk before controls (raw exposure)
• Residual Risk: Risk after controls; cannot be eliminated; must be within appetite
• Risk Appetite: Amount of risk organization is willing to accept (aggressive vs conservative)
• Risk Register: Living document tracking identified risks, owners, scores, responses, status
• Mitigate: Reduce likelihood/impact (controls, patches, firewalls)
• Transfer: Shift risk to third party (insurance, outsourcing, cloud); cost becomes premium/fee
• Avoidance: Eliminate risk by not performing activity (discontinue legacy system)
• Acceptance: Acknowledge but take no action; used when cost of mitigation > impact; requires sign-off
• Quantitative: Numeric/financial values (Annualized Loss Expectancy ALE = SLE × ARO; Single Loss Expectancy SLE = Asset Value × Exposure Factor); objective, requires data
• Qualitative: Subjective scales (High/Med/Low, 1-5 ratings); expert judgment, faster, heat maps
• Heat Maps: Visual matrix (Likelihood vs Impact); red zones = immediate action
• MTD (Maximum Tolerable Downtime): Longest time business can survive without system before irreparable harm
– Higher = Good (more tolerance), Lower = Bad (less tolerance)
• RTO (Recovery Time Objective): Target time to restore system/function after disruption
– Lower = Good (faster recovery), Higher = Bad
• WRT (Work Recovery Time): Time after technical restoration to verify business processes/data integrity
– Lower = Good (faster validation), Higher = Bad
• RPO (Recovery Point Objective): Maximum acceptable data loss (time between last backup and incident)
– Lower = Good (less data loss), Higher = Bad
• MTTR (Mean Time To Repair): Average time to fix failed component
– Lower = Good (repair fast), Higher = Bad
• MTBF (Mean Time Between Failures): Average uptime between failures
– Higher = Good (thousands of hours = reliable), Lower = Bad (frequent failures)
• Due Diligence: Pre-contract investigation (financial stability, security posture, compliance history)
• Right to Audit: Contractual clause allowing customer to inspect vendor controls/books
• Pentesting: Regular security testing of vendor environments; validates defenses
• Conflict of Interest: Vendor relationships that compromise objectivity (e.g., auditor also consulting); must be disclosed and managed
Quick Distinctions: Quantitative = dollars/numbers; Qualitative = subjective ratings; Inherent = before controls; Residual = after controls; MTBF high (reliable), MTTR low (fixable); MOU (intent) vs MOA (commitment); MSA (master contract) vs SOW (specific job); ROE defines what you can hack.
• NDA (Non-Disclosure Agreement): Protects confidential information; pre-contract discussions
• MOU (Memorandum of Understanding): Non-binding statement of intent; "gentleman's agreement"
• MOA (Memorandum of Agreement): Formal, often binding agreement between parties to work together
• BPA (Business Partnership Agreement): Defines relationship/responsibilities between business partners
• MSA (Master Service Agreement): Overarching legal framework; governs future transactions/SOWs
• SOW (Statement of Work): Specific project details (scope, deliverables, timeline) under MSA
• SLA (Service Level Agreement): Performance commitments (uptime 99.9%, response times); includes penalties/credits
• ROE (Rules of Engagement): Pentest-specific scope (IPs in scope, testing hours, authorized techniques); legal protection for testers