CISSP Risk Response & Threat Modeling (STRIDE)

On the CISSP, you never reach zero risk - you choose a treatment (mitigate, transfer, avoid, or accept) and formally sign off on the residual risk. This Domain 1 deep-dive covers the part of risk management that the exam tests hardest: deciding what to DO about a risk once you have measured it. With Bella, Erica, Sara, and Fenrir, we walk the four-plus risk treatment options, residual risk and the control gap, how controls are classified on two axes (class and type), continuous monitoring with the NIST RMF and ISO 31000, and threat modeling with STRIDE, PASTA, DREAD, and attack trees.

In this video:

• The four-plus treatment options and the transfer-versus-accept fork the exam loves
• Residual risk explained: total risk minus the controls, and the control gap
• Control classification on both axes, with an example of each class and type
• Continuous monitoring and the NIST Risk Management Framework’s seven steps
• STRIDE letter by letter, each threat mapped to a security pillar
• Adversarial threat modeling when the asset being protected is an AI model

The next video in the series moves into supply chain risk management and security awareness training. Anchored to the (ISC)2 CISSP Detailed Content Outline effective April 15, 2024, covering objectives 1.9 and 1.10.

Presented by Professor Erica — CISSP, CISM, PMP, M.S. Project Management, D.B.A. in progress.

▶ Watch next: CISSP Domain 1: Supply Chain & Awareness Training https://www.youtube.com/watch?v=s2ql-cUCsc4

📺 Full playlist: CISSP (2026) v2 https://www.youtube.com/playlist?list=PLlIAFxS2964_K3g6WysWnLpifoxilduGi