Risk in Security

I typically don’t dwell into this topic until unless I was told to speak about it in a conference / group discussion. While I admit, I do not have all the necessary certifications in place to be a subject matter expert, I certainly feel to understand the importance of Cybersecurity Frameworks in OT Security , you will need to understand some basic math and statistics. This post is to introduce you to these fundamental concepts.

Where do I begin?

Math Concepts:

It all starts with understanding that there are many thoughts, ideas and methodologies in cybersecurity practice. One thing is for sure, you will need some basic understanding of math. If I were starting from no where, then I would pick up a book on statistics and probability however, some basic concepts such as uncertainty and risk are important.

There is one important and vital concept that you need to have a very good understanding, it is called uncertainty. As in the case of a data breach, we are not certain or we lack data / information to calculate the true outcome of a data breach or when the data breach will actually occur. For example.

“There is a 35% chance that company ABC will have a data breach / data leak incident sometime in the next four years”

The objective is to be able to measure something and predict an outcome. In this particular example, we are very certain when something will happen.

There is a 30% chance that company ABC will have a cyberattack in the form of data breach or data leak in the next three years”

Here is the same example with certainty that something will result (loss) from the data breach to the organization.

There is a 20% chance that a data breach or data leak will result in a fine from GDPR regulation in the amount of $5 million dollars for the company ABC”

Risk Terminologies

For cybersecurity and other risk management methodologies, understanding the terms such as Vulnerability (V) , Threat (T), Impact (I) and Likelihood (L) is very essential to be able to measure risk and apply counter measures. Also I want to point that there are two important methods to risk management , a qualitative approach (subjective) and a quantitative approach. Which approach is good? There are studies out there that suggest otherwise. Read What’s Wrong with Risk Matrices? by Tony Cox (Link to original publication)

However, if you are a beginner in Risk Analysis, I certainly recommend you start with qualitative analysis for your understanding and also, choosing between the two is like choosing between a scoop of vanilla ice cream in a cup and spoon of vanilla ice Dippin’ Dots.

In order to understand both qualitative and quantitative approaches of risk analysis, we have some key risk terminologies that one needs to understand.

The case of the Sandwich Theif.

Let us say I have a special sandwich- my asset, which is very valuable, may have some secret sauce or ingredient. The value of this asset is $10, this is how much it cost for me to make it. Now, if I really want to protect this from a sandwich thief, I would like to know how valuable it is, did I not say $10, but it is not the true value. If I were to loose the $10 sandwich, it might cost me $30, why? Well, you see the sandwich when it was made, the ingredients were cheaper, may be I got a discounted price or I might spend $20 for the its shelf life on refrigeration. So understanding this value is very important because, if I were to put a counter measure, such as a lock on a cabinet or something more secure than that, then I want to make sure I am spending more than what is worth. Who makes that decision?

Vulnerability (V):

In cybersecurity, a vulnerability is a flaw, a weakness, a missing defense. This can be accidental or intentionally put in place.

An analogy to real world is “Padlocks are easiest to pick as they have a massive vulnerability in the form of easy access to locking pin and cylinder mechanism which can be aligned to pop open the lock”

Threat (T):

A threat is potential of exploiting a vulnerability which could result in a negative outcome. In cybersecurity, a threat is an exploitation of a vulnerability in a network, software or hardware that will allow a threat actor to gain privileged access to the system.

For example, a sandwich thief (threat actor) is a threat to your sandwich that is stored in a kitchen cabinet with a pad lock. How do we compute risk from threat and vulnerability?


Before we are able to define the risk, we need to also know what impact would this incident cost? Impact is the magnitude of harm that can be expected to result from a threat exploiting a vulnerability.

A sandwich stolen from the locked kitchen cabinet will result in a loss of $30 to your net worth.

We are almost ready to calculate risk, however, for the thief to exploit the vulnerability which is to pick the pad lock may seem easy enough but what if I told you, the kitchen is located in a armed location with 24 hours / 7 days a week surveillance and monitoring. Then what is the likely hood of such an event (incident) to even take place? You could say improbable or no chance at all and the impact would be moderate (subjective analysis).

We can express impact subjectively as follows:

Example 1:
Negligible-1, Minor-2, Moderate-3, Significant-4, Severe-5

Example 2:
Low-1, Moderate-2, High-3

Likelihood (L):

This is the probability that a threat will exploit the vulnerability. It is usually not a specific number but a range.

Example 1:
Frequently – 5, Likely-4, Occasionally-3, Very Seldom-2, Not Likely at all-1

Example 2: 
1=very unlikely, 2=low likelihood, 3=likely, 4=highly likely, and 5=near certain.

Risk Matrix / Risk Heat Map:

As you can see, we can then draw this Risk Matrix, also called as a Risk Heat Map.

As you can see, the qualitative analysis process involves judgment, intuition, and experience. For example, if I am a CSSP – Certified Sandwich Security Professional, with my intuition and judgement, I can categorize the risk of a sandwich thief stealing the sandwich to be LOW based on my understanding that it is unlikely for the sandwich thief to get into the kitchen and steal the sandwich which could have a protentional loss of $30 dollars, which is moderate. So, would I invest in putting any counter measures? As this is Risk is low, I would not consider it and accept this low risk.

End of this lesson, keep an eye out for more. Next- Quantitative Approach.

Jam 6: Session 1: Jam 6 Networks and OSI Model


This session covers very basic concepts of Network and OSI Model. Domain 4 of CISSP.

Presentation Files:

CISSP is an Entry Level Certification.


No it is not. The ISC2’s CISSP Exam was a very intense exam even for someone with 15+ years in IT Industry with having applied IT Security in day to day job duties (yeah that is me πŸ˜‰).

The last time I heard entry level means someone is at the lowest level in an employment hierarchy, just means that they are starting out, that could be 1 to 3 years of industry experience. If someone says or writes about CISSP being an entry level certification, please refer them to me. I will get the CISSP community to weigh in and will reach out to them and do our due diligence. Or simply direct them to ISC2’s requirements section. (Required Experience)

So why was this post necessary?
It is because of CIO.com’s recently published article which claims CISSP is an entry level Certification. Below is a tweet of that article.

Why I am writing this post?
Because CISSP is not an entry level certification and it takes 5+ years of experience in two (out of eight) of the security domains to get this credential next to one’s name. The exam is also not as easy or simple. It takes more than just knowing the IT Security concepts to answer the 150 questions in three hours.

Without real understanding of IT Security concepts and without having sufficient experience applying these various security concepts in the real world scenarios, will leave you playing Eeny, meeny, miny, moe and will give you just under 2% success rate according to these math geeks. (Link)

Why the Click Bait?
If you saw a post or a NEWS article claiming CISSP is an entry level certification, then it is definitely a click bait, just look at the views on this post 😊 (I am guessing it must be in its hundreds by now, it was only posted on 10/4/2020). Just demonstrating… or am I?

πŸ‘‡ Finger Pointing Down Emoji Meaning with Pictures: from A to Z


What does ISC2 have to say about all this?
Here is ISC2 Tweet responding to an individual, confirming they are also aware of this incorrect classification of CISSP Certification in the specific CIO’s article:

Still not convinced?
Then I suggest you to join this Discord group called Certification Station. No, this is not an advertisement and they are not selling anything, but it is a group of professionals in IT Security who like to hangout and learn together. Check them out here: https://certificationstation.org/

Certification Station

If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Jam 5: Session 1: General Discussion on Forensics for CISSP.


Video is Hosted On YouTube

This session covers the various Investigations and Terms Related to Computer Forensics.

Presentation Files:

Stop Posting Pictures of Your Certifications and Employee ID cards.


Congratulations! You made it! You achieved it. Now make sure you secure it.

If you just passed an exam and had an urge to post a picture with your certificate or if you just retired or were just hired by your dream company, you posted a picture of your ID card or your certification, then this article is for you. Hundreds of these pictures are now showing up online on websites that are soliciting fake degrees, certifications, jobs, and more.

While you are proud of your accomplishments make sure you do not post your photos publicly which reveals your name, certificate, and other details. A photo with a face and a certificate in your hands can be used to advertise anything and an acquaintance of mine recently shared a disturbing story.

This individual, whom I call Mr. Good. had recently passed his CISSP exam and like most of us, had posted it on LinkedIn. Mr. Good is a very private person normally but LinkedIn is a social community that he spends most of his time socializing. Thanks to tens of different controls on privacy on LinkedIn, it has gotten even more confusing when you post an update. So out of mere excitement and innocence, he posted his picture. He was proud. A few days later, he discovered, by accident, a photo circulating on Facebook with several others soliciting the sale of illegal certificates such as CISSP and other exams. 

That was it for Mr. Good, he immediately removed his picture from his post. But wait, his stolen photo from LinkedIn is being used by someone claiming to be him. Mr. Bad did not even bother to blur out Mr. Good’s name on the certification photo. This would take several attempts, which included contacting Facebook to remove this post. While Facebook is looking into his query, which by the way is probably 1 in a million. It will continue to be online until it is removed.

Here are some examples that I found online.

Real Example 1: 

John Cam (Fake Name) claims to sell CISSP Certificates on Facebook with the image on the side. He was a little generous and clipped the picture to remove the face. Image1 is taken from a publicly posted image on LinkedIn profile post, Image 2. 

I have pixelated the face to protect the individual.Β 

Image 1
Image 2

Real Example 2:

Here is the same individual who is selling illegal certifications, this time it is IELTS Certifications without writing the exam. Not sure how it works or if it is a money-making scheme by fraud.

I have already reported this individual on Facebook but upon doing a simple web search, I found this individual/group has posted at several popular web services such as TripAdvisor, Pinterest, Medium.

What can you do?

If you come across such advertisements or postings, simply report as Spam or use the methods provided. For example, TripAdvisor provides an option on a photo to report. Pinterest provides a feature on their pins and users to be reported.

Do not take photos of your employer ID cards, Certificates, and Degrees and post them publicly. I understand we all have a tendency to post on social media such as LinkedIn, Facebook, Instagram but think about the profound negative effects on your identity if these posts and images were exploited.

Over and Out! Stay safe, think before you click (anywhere).


If you would like to subscribe to this blog. Simply follow me on LinkedIn or Twitter and you will see any new alerts and posts directly on these two platforms.

Jam 4: Session 2: General Discussion on Software Testing.


Video is hosted on YouTube. Please Subscribe to my channel – Security Bits

This session covers the various Testing Methods and Types in SDLC Phases with loads of Questions and a Quiz in the end.

Presentation Files:

Jam 2: Session 2: General Discussion on Jam 2: Cloud for CISSP. Common Threats & Vulnerabilities.


This session covers the most common types of Threats and Vulnerabilities namely,

  1. Data Breaches
  2. Insufficient Identity, Credential and Access Management
  3. Insecure Interfaces and APIs
  4. System Vulnerabilities
  5. Account Hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats
  8. Data Loss
  9. Insufficient Due Diligence
  10. Abuse and Nefarious Use of Cloud Services
  11. Denial of Service
  12. Shared Technology Vulnerabilities

Presentation Files: