Appendix: Key Formulas & Acronyms

Key Formulas & Acronyms

Risk Formulas (Domain 1)

Formula Meaning

SLE = AV × EF

Single Loss Expectancy = Asset Value × Exposure Factor

ALE = SLE × ARO

Annualized Loss Expectancy = SLE × Annualized Rate of Occurrence

Total Risk = Threat × Vulnerability × Asset Value

Qualitative risk

Residual Risk = Total Risk - Controls

Risk remaining after controls

Safeguard Value = (ALE₁ - ALE₂) - Cost

Is the control worth it?

DR/BCP Metrics (Domain 7)

Metric Meaning

RTO

Recovery Time Objective — max acceptable downtime

RPO

Recovery Point Objective — max acceptable data loss (time)

MTD

Maximum Tolerable Downtime — beyond this, business fails

MTBF

Mean Time Between Failures — reliability

MTTR

Mean Time To Repair — recoverability

Security Models (Domain 3)

Model Focus Rule

Bell-LaPadula

Confidentiality

No read up, no write down

Biba

Integrity

No read down, no write up

Clark-Wilson

Integrity

Well-formed transactions, separation of duties

Access Control Models (Domain 5)

Model Who Decides

DAC

Owner (discretionary)

MAC

System/policy (mandatory labels)

RBAC

Roles (job function)

ABAC

Attributes (rules engine)

ISC2 Code of Ethics (Domain 1)

  1. Protect society, the common good, necessary public trust, and the infrastructure

  2. Act honorably, honestly, justly, responsibly, and legally

  3. Provide diligent and competent service to principals

  4. Advance and protect the profession

IR Phases (Domain 7)

  1. Preparation

  2. Detection and Analysis

  3. Containment

  4. Eradication

  5. Recovery

  6. Post-Incident Activity (Lessons Learned)

OWASP Top 10 (Domain 8)

  1. Broken Access Control

  2. Cryptographic Failures

  3. Injection

  4. Insecure Design

  5. Security Misconfiguration

  6. Vulnerable Components

  7. Auth Failures

  8. Software/Data Integrity Failures

  9. Logging/Monitoring Failures

  10. SSRF