Exercises: Risk Management

These exercises move from the formulas to the judgment calls. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — attempt every problem before you read one.

Work in your own notebook or a private repository. For calculation problems, show your formula and units; for treatment and register problems, the reasoning and ownership matter more than the exact number. Unless stated otherwise, all dollar figures and frequencies are illustrative.

Part A — Vocabulary and the process ⭐

1.† In one sentence each, distinguish risk management from a risk assessment. Which is continuous and which is point-in-time?

2. Name the five steps of the risk-management process (NIST SP 800-30 / ISO 27005, harmonized) in order, and state in one sentence what the loop from "monitor" back to "frame" accomplishes.

3. Match each standard to its role: (a) NIST SP 800-30; (b) NIST SP 800-37; (c) ISO/IEC 27005; (d) NIST SP 800-39. Options: the international risk-management standard; the U.S. guide for conducting risk assessments; the Risk Management Framework / system-authorization lifecycle; the broader risk-management program framing.

4.† Define inherent risk and residual risk, and explain why naming both for a given risk makes a treatment decision auditable.

5. Define risk appetite and risk tolerance and give one example of each. Which is strategic and qualitative, and which is operational and quantitative?

6. For each, say whether it describes qualitative or quantitative risk analysis: (a) plots risks on a 5×5 heat map; (b) expresses impact in dollars; (c) produces relative rankings, not measurements; (d) lets you compare a control's benefit to its cost directly; (e) is fast and needs no actuarial data; (f) is vulnerable to false precision on weak inputs.

Part B — Calculate the ALE ⭐⭐

7.† A laptop fleet event: each laptop is worth \$1,500, a theft destroys 100% of its value (the data, not just the hardware, is the loss), and the firm expects 8 such thefts per year. Compute SLE and ALE.

8. A web-server compromise would corrupt about 30% of a \$2,000,000 customer database before it is caught, and is estimated to occur 0.5 times per year. Compute the exposure factor, SLE, and ALE.

9.† Cost-justify a control. For the compromise in Exercise 8, a managed detection-and-response service would cut the ARO from 0.5 to 0.1 and the exposure factor from 0.30 to 0.10. It costs \$120,000 per year to run. Compute $ALE_{\text{before}}$, $ALE_{\text{after}}$, and the net annual value of the control. Should Meridian buy it? Show the formula.

10. The annualization trap. A vendor pitches a \$600,000 hardware appliance (one-time purchase, useful life 5 years, plus \$40,000/year support) to address a risk with an ALE of \$90,000/year. A colleague says "the appliance costs \$640,000 and the risk is only \$90,000 a year, so it is obviously not worth it." Find the error in the colleague's reasoning, put every figure on an annual basis, and state whether the control is worth it.

11.† Two risks are on the register. Risk X: SLE \$50,000, ARO 6.0. Risk Y: SLE \$900,000, ARO 0.25. (a) Compute each ALE. (b) Which should prioritize() from this chapter's bluekit increment sort first? (c) The qualitative matrix rated X as HIGH (likely, limited impact) and Y as HIGH (rare, severe impact). What does the quantitative view add that the equal qualitative bands hid?

12. A control reduces a risk's ARO from 4.0 to 1.0 but leaves the SLE unchanged at \$80,000. Separately, a different control leaves the ARO at 4.0 but cuts the SLE from \$80,000 to \$20,000. Compute the ALE reduction of each. If both cost the same, are they equally good investments? What else would you want to know?

Part C — Choose the treatment ⭐⭐

13.† For each scenario, name the primary risk treatment (mitigate / transfer / avoid / accept) and justify it in one sentence: (a) Meridian buys cyber-insurance to cover the financial tail of a major breach; (b) Meridian declines to launch a cryptocurrency-custody product after assessing the risk; (c) Meridian deploys phishing-resistant MFA across all staff; (d) Meridian formally signs off on living with the low risk of an internal, segmented print server staying unpatched until its scheduled replacement.

14. A risk has inherent rating CRITICAL. No cost-effective control exists, the activity that creates it (processing real-time payments) is core to the business and cannot be stopped, and insurance covers only a fraction of the impact. Walk the treatment decision aid (Figure 27.3) and state where you land. What compensating controls and documentation would make the outcome defensible?

15. Explain, with a concrete example, why "you cannot transfer accountability." What exactly does cyber-insurance transfer, and what remains the organization's responsibility after a claim is paid?

16.† The silent acceptance. Re-read the §27.4 war story (the insurer's legacy portal). List the four things that, had they been present, would have turned the silent acceptance into a defensible one. For each, write the single sentence you would have added to the risk register.

17. A team proposes to "accept" a HIGH residual risk to customer PII. Using Meridian's risk-appetite statement (Figure 27.4), determine whether they may accept it at their level, and if not, what the statement requires them to do instead.

Part D — Build a risk register ⭐⭐–⭐⭐⭐

18.† Write three rows of an enterprise risk register for Meridian using new risks not already in the Chapter 1 seed (R1–R5). For each row include every field from the §27.5 register table: risk ID, description (threat × vulnerability × asset → harm), affected asset(s), inherent L×I and band, treatment decision, residual L×I and band, business risk owner, status/due date, and review date.

19. Critique this register row and rewrite it correctly:

R-99: "Hackers might get in." Asset: everything. Likelihood: high. Impact: bad. Owner: Security. Treatment: we'll look into better tools. Identify at least four defects (concreteness, scoring, ownership, treatment specificity) and fix each.

20. Design it. You are standing up a risk register for a 30-person fintech startup with no prior GRC function. Specify: (a) the minimum fields you would include and why; (b) who you would name as risk owners given there is no large business hierarchy; (c) your reassessment triggers; (d) how you would keep it from becoming "security's private worry list." One page.

21.† Take the DDoS worked example from §27.3 (ALE \$2,000,000 before; \$100,000 after the \$250,000/year mitigation). Write the complete register row for this risk, including both the qualitative band and the quantitative ALE in the inherent and residual fields, the treatment decision, the business owner, and the review trigger.

22. ⭐⭐⭐ Pick a real organization you know well (employer, school, a public company). Produce a five-row enterprise risk register following the §27.5 format. Score qualitatively, and put a dollar ALE on your single largest risk. Name a plausible business owner for each. Defend your top risk in a paragraph.

Part E — Set a risk appetite ⭐⭐

23.† Draft a risk-appetite statement (in the style of Figure 27.4) for a regional hospital. Cover at least four categories (e.g., patient-safety systems, patient data/privacy, clinical-system availability, research/innovation). For each, give an appetite (Very low / Low / Moderate) and a concrete tolerance line. Justify why patient-safety and privacy appetites differ from the others.

24. Meridian's appetite statement says customer-data risk tolerance is "no unmitigated risk above MEDIUM." An analyst finds a residual customer-data risk scored exactly MEDIUM after mitigation. Is it within tolerance? Now the same risk is scored HIGH. What does the statement require, and who must be notified? Reason directly from Figure 27.4.

25. Explain how a well-written appetite statement reduces escalations rather than creating bureaucracy. Give one example of a decision an analyst can make alone because of the statement, and one that the statement deliberately forces upward.

Part F — Communicate the risk ⭐⭐

26.† Translate for the board. Rewrite each technical statement as a one- or two-sentence board-level risk statement (money, customers, regulation, decision): (a) "We have 1,400 unpatched vulnerabilities, 312 of them critical." (b) "An internet-facing server in the CDE runs an end-of-life TLS stack." (c) "Our SIEM has no coverage for lateral-movement techniques in the ATT&CK matrix."

27. A board member, looking at a heat map, asks: "Why are you showing me risks you've already accepted? Shouldn't this only be the open ones?" Write a three-sentence answer that explains the board's duty of care and why accepted risks belong on the slide.

28. Your CFO pressures you to "soften" the risk report before the board meeting because a budget cut is looming and a grim picture is "bad timing." Write the two- or three-sentence response you would give, grounded in professional and legal duty. (See §27.6's ethics callout.)

29. ⭐⭐⭐ Build the one-slide risk story for Meridian's board this quarter from the register rows in this chapter (R1, the DDoS risk, R2). Include: the top three risks in business terms with their ALEs, the single decision/funding ask, one trend statement, and the accepted residuals with owners. No more than 200 words — board slides are ruthless.

Part G — Respond to this / incident-flavored ⭐⭐

30.† Respond to this. A critical, actively-exploited vulnerability (a fresh KEV entry, CVSS 9.8) is announced at 4 p.m. Friday affecting an internet-facing Meridian system. You cannot patch tonight without risking an outage. Frame this as a rapid risk assessment and treatment decision: state the inherent risk, the treatment options available tonight (including compensating controls and a documented short-term acceptance), what you would put in the register, and what you would tell leadership. (You will do the full vulnerability-prioritization version of this in Chapter 23.)

31. During a tabletop, the team realizes a risk they had marked "accepted" last quarter has changed: the asset it threatens now processes far more sensitive data after a system migration. What does the review date field on the register exist to catch, and what should the team do now? Tie your answer to why risk management is a loop, not a one-time assessment.

Part H — CTF-style challenge ⭐⭐⭐

32.† The cooked quantitative analysis. A vendor presents a slick risk analysis to justify a \$500,000/year product. Their numbers: AV \$10,000,000; EF 0.8; ARO 1.0; "the product reduces ARO to 0.0, eliminating the risk." They conclude the product saves \$8,000,000/year and is a clear buy. (a) Reproduce their ALE math. (b) Identify three things that are analytically wrong or dishonest about this analysis (consider the EF and ARO inputs, the "reduces to zero" claim, and the missing residual). (c) Re-do the analysis with defensible assumptions of your choosing and state whether the product is actually worth it. Part of the challenge is recognizing that a confident dollar figure can be the most dangerous kind of input.

Part I — Interleaved & forward-looking ⭐⭐

33. (Interleaved — Ch. 26) A risk-appetite statement is set by leadership and the board. Where does it sit relative to the policy/standard/procedure document hierarchy from Chapter 26, and how does a standard (e.g., "all internet-facing systems must use phishing-resistant MFA") relate to a tolerance line in the appetite statement?

34. (Interleaved — Ch. 1) Recompute the Chapter 1 qualitative score for "credential attack via password-only login" (L4 × I5) and then express the same risk quantitatively with SLE \$900,000 and ARO 2.0. Explain which number you would use in a SOC triage decision and which in a board budget decision, and why both are correct in their context.

35. (Forward — Ch. 29) Transferring risk to a vendor (e.g., outsourcing the core platform with contractual security requirements) creates a new category of risk. Name it and write two sentences predicting how Chapter 29 will say to manage it.

36. ⭐⭐⭐ Open reflection. The chapter argues that the most valuable output of risk management is "a set of decisions, each with a name attached, made on purpose." Write half a page on a risk decision in a domain outside security (a hospital accepting a surgical risk, an airline accepting a maintenance deferral, a city accepting a flood risk). What does that field do to make acceptance defensible that security could borrow?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.