You get a scenario question on the SY0-701. A company's database can lose at most 15 minutes of transactions, and it has to be back online within 2 hours of an outage. The question asks which metric describes the 15 minutes. If you have to stop and think, you are not alone. The recovery and risk metrics are some of the easiest points on the exam to bank and some of the easiest to throw away, because four of them sound almost identical and the test writers know it.
Here is how I finally got them to stick.
The two recovery metrics: RTO and RPO
Both are about time, but they measure different things. The trick is to anchor each one to the moment of the outage.
RPO, recovery point objective, looks backward from the outage. It answers "how much data can we afford to lose?" If your RPO is 15 minutes, your backups or replication have to be recent enough that you never lose more than 15 minutes of work. RPO drives how often you back up.
RTO, recovery time objective, looks forward from the outage. It answers "how long can we be down?" If your RTO is 2 hours, you have 2 hours to restore service before the impact becomes unacceptable. RTO drives your recovery plan and your hot, warm, or cold site decision.
So in the scenario above, the 15 minutes is the RPO and the 2 hours is the RTO. The one line that keeps me honest: RPO is about data, RTO is about downtime.
The two reliability metrics: MTBF and MTTR
These describe hardware and systems over their whole lifetime, not a single incident.
MTBF, mean time between failures, is how long something runs before it breaks, on average. Higher is better. You use it to predict reliability and plan replacements.
MTTR, mean time to repair, is how long it takes to fix the thing once it breaks. Lower is better.
The exam likes to pair these with a maintenance or purchasing scenario. If a question asks how often a component fails, that is MTBF. If it asks how quickly you can get it running again, that is MTTR. One is about lifespan, the other is about repair speed.
A quick way to not swap them: "between failures" has the word failures in it, so it is the gap between breakdowns. "Time to repair" says repair right on the label.
While we are doing numbers: SLE, ALE, ARO
The other place Security+ makes you calculate is quantitative risk analysis. These three are a short formula chain, not three definitions to memorize cold.
Start with the asset value (AV), what the asset is worth. The exposure factor (EF) is the percentage of that value you would lose in one incident.
- SLE (single loss expectancy) = AV x EF. The cost of one bad event.
- ARO (annualized rate of occurrence) = how many times per year you expect it.
- ALE (annualized loss expectancy) = SLE x ARO. The yearly cost.
Worked example. A laptop fleet is worth 50,000 dollars. A theft event typically costs 20 percent of that, so EF is 0.2. SLE is 50,000 x 0.2 = 10,000. If you expect three thefts a year, ARO is 3, and ALE is 10,000 x 3 = 30,000. Now you can argue for a control that costs less than 30,000 a year. That last comparison, ALE against the cost of a control, is usually the real point of the question.
The traps to watch for
- A question hands you AV and EF and asks for ALE directly. You have to compute SLE first, then multiply by ARO. Skipping the middle step is the classic mistake.
- RTO and RPO get swapped because both are measured in time. Re-read and ask whether the sentence describes lost data or lost uptime.
- MTBF and MTTR show up in the same answer list on purpose. Slow down and check whether the scenario is about failing or about fixing.
How to actually drill these
Definitions do not survive contact with a worded scenario. The only thing that worked for me was running scenario questions until the right metric jumped out before I finished reading the stem. I have been building practice sets around exactly these stumbling points at secplusmastery.com, and there is a free diagnostic at secplusmastery.com/diagnostic that will show you fast whether risk and recovery is one of your weak domains, before you spend money on a voucher.
Get these four metrics and the SLE to ALE chain automatic and you have a handful of guaranteed points sitting there waiting, while everyone else is still squinting at the answer choices trying to remember which one means data loss.
Top comments (0)