What is a Business Impact Analysis (BIA)?

BIA identifies critical functions and measures disruption impact. Key metrics: RTO (max downtime), RPO (max data loss), MTTR (repair time), MTBF (reliability). Drives DR planning and resource allocation.

CompTIA Security+ Risk Management Practice Questions 2026

Risk management is the strategic framework that drives every security decision an organization makes. On the CompTIA Security+ exam, risk management questions test your ability to assess threats, quantify potential losses, select appropriate response strategies, and design business continuity plans. This domain bridges technical security knowledge with business decision-making — a skill that distinguishes competent security professionals from those who only understand tools.

Exam Weight: Domain 5 — Security Program Management and Oversight (20%)

What Is Risk Management on the Security+ Exam?

Risk management is the systematic process of identifying, assessing, responding to, and monitoring risks that could impact an organization's assets, operations, and objectives. This encompasses risk assessment (identifying and evaluating threats), risk response (choosing how to handle identified risks), business impact analysis (determining the effect of disruptions), and business continuity/disaster recovery planning (ensuring resilience).

The exam tests both quantitative and qualitative risk analysis. Quantitative analysis assigns dollar values using SLE, ARO, and ALE formulas. Qualitative analysis uses expert judgment to categorize risks as High, Medium, or Low. Understanding when to use each approach is essential for scenario-based questions.

Security controls are classified by function (preventive, detective, corrective, deterrent, compensating) and by implementation (technical, administrative, physical). Understanding this framework helps you recommend the right control for any risk scenario and recognize gaps in existing implementations.

Why Risk Management Matters for Security+

Risk management represents 20% of the exam and appears indirectly across every other domain. When you recommend a firewall, you're mitigating network risk. When you implement MFA, you're reducing authentication risk. Understanding the risk framework gives context to every technical control.

In professional practice, risk management is the language that connects security teams with business leadership. CISOs communicate in terms of annual loss expectancy and risk reduction ROI, not just CVE numbers. The Security+ exam validates that you can think in these strategic terms.

Business continuity and disaster recovery questions test practical resilience knowledge. Knowing RTO vs. RPO, understanding hot/warm/cold site trade-offs, and selecting backup strategies are skills that directly apply to real-world DR planning in any organization.

Key Risk Management Concepts to Master

Risk Assessment Process

Identify assets → Identify threats and vulnerabilities → Determine likelihood and impact → Calculate risk level → Prioritize for treatment. Risk = Threat × Vulnerability × Impact. Risk registers document identified risks, owners, responses, and status. Regular reassessment keeps profiles current.

Quantitative Risk Analysis

Asset Value (AV) = total asset value. Exposure Factor (EF) = % loss. SLE = AV × EF. ARO = annual frequency. ALE = SLE × ARO. If control cost < ALE reduction, the investment is justified. These calculations appear frequently in exam scenarios.

Risk Response Strategies

Accept: within tolerance, document and monitor. Mitigate: implement controls to reduce likelihood/impact (most common). Transfer: shift financial risk via insurance, contracts, or outsourcing. Avoid: eliminate the risk-creating activity entirely. Residual risk = risk remaining after controls.

Business Impact Analysis

RTO: maximum tolerable downtime. RPO: maximum acceptable data loss (in time). MTTR: average time to restore. MTBF: average time between failures. BIA prioritizes systems by criticality and drives recovery resource allocation and DR planning.

Security Control Categories

Preventive (firewalls, encryption, access controls), Detective (IDS, log monitoring, SIEM), Corrective (patching, incident response, restoration), Deterrent (warning banners, cameras, policies), Compensating (alternatives when primary control isn't feasible). Technical, Administrative, and Physical implementation types.

Disaster Recovery Planning

Hot site: fully operational, instant failover, highest cost. Warm site: hardware ready, needs data, moderate cost. Cold site: empty facility, longest recovery, lowest cost. Full/Incremental/Differential backups. Testing: tabletop, walkthrough, simulation, parallel, full interruption.

Sample Risk Management Questions

Question 1: Quantitative Analysis

A server valued at $50,000 faces a threat with a 25% exposure factor occurring twice per year. What is the ALE?

A) $12,500 B) $25,000 C) $50,000 D) $100,000

Answer: B) $25,000 — SLE = $50,000 × 0.25 = $12,500. ALE = $12,500 × 2 = $25,000. The organization can justify spending up to $25,000/year on controls for this risk.

Question 2: Risk Response Strategy

A company purchases cyber liability insurance after assessing data breach risk. Which risk response strategy is this?

A) Risk acceptance B) Risk mitigation C) Risk transfer D) Risk avoidance

Answer: C) Risk transfer — Insurance shifts financial impact to the insurer. The risk still exists, but consequences are shared. Other transfer examples: outsourcing, contractual liability clauses.

Question 3: BIA Metrics

An e-commerce platform can tolerate maximum 4 hours of downtime before significant revenue loss. Which BIA metric is this?

A) RPO B) RTO C) MTTR D) MTBF

Answer: B) RTO (Recovery Time Objective) — RTO defines maximum acceptable downtime. RPO measures data loss tolerance. MTTR is actual average repair time. MTBF measures reliability between failures.

Question 4: Control Classification

A company installs security cameras at building entrances. What type of security control is this?

A) Preventive technical B) Detective physical C) Deterrent physical D) Corrective administrative

Answer: C) Deterrent physical — Visible cameras primarily deter potential attackers. They are physical controls (tangible devices). While cameras can also serve detective functions (recording incidents), their primary visible placement serves as deterrence.

Common Mistakes to Avoid

✗ Confusing RTO (maximum downtime) with RPO (maximum data loss) — RTO is time to recover, RPO is how much data you can lose
✗ Mixing up risk transfer and risk acceptance — insurance is transfer (shifting burden), not acceptance (living with risk)
✗ Forgetting residual risk — no control eliminates risk completely; residual risk must be formally accepted by management
✗ Confusing incremental and differential backups — incremental: since LAST backup; differential: since last FULL backup
✗ Thinking risk avoidance is always best — sometimes business value outweighs the risk, making mitigation or transfer more appropriate

Study Checklist for Risk Management

☑ Calculate SLE, ALE, and ARO from scenario descriptions
☑ Differentiate all four risk response strategies with examples
☑ Explain qualitative vs. quantitative risk analysis approaches
☑ Define BIA metrics: RTO, RPO, MTTR, MTBF with scenarios
☑ Classify controls by function and implementation type
☑ Compare hot, warm, and cold disaster recovery sites
☑ Differentiate full, incremental, and differential backups
☑ Understand risk appetite, tolerance, and threshold
☑ Review DR testing methods and their trade-offs
☑ Know the risk register purpose and components

Frequently Asked Questions

How many risk management questions are on the Security+ exam?

Domain 5 (20%). Expect 10-14 questions on risk assessment, response strategies, BIA, DR, and control categories.

What are the four risk response strategies?

Accept, Mitigate, Transfer, Avoid. Choose based on severity, cost, and business context.

What is quantitative vs. qualitative risk analysis?

Quantitative: dollar values (SLE, ALE). Qualitative: categories (H/M/L). Use quantitative for ROI; qualitative when data is limited.

What is a Business Impact Analysis?

Identifies critical functions and measures disruption impact using RTO, RPO, MTTR, MTBF. Drives DR planning.

What security control categories should I know?

Function: Preventive, Detective, Corrective, Deterrent, Compensating. Implementation: Technical, Administrative, Physical.

What disaster recovery concepts are tested?

Hot/Warm/Cold sites, Full/Incremental/Differential backups, and DR testing methods.

Practice Risk Management Questions Now

Our Smart Practice practice tests generate unlimited risk management questions for the CompTIA Security+ exam. Get instant feedback with detailed explanations.

Start Free Practice Test →