Home/Glossary/Risk Assessment

Risk Assessment

A systematic process of identifying, analyzing, and evaluating cybersecurity risks to inform treatment decisions.

Risk & ResilienceAlso called: "cyber risk assessment", "information security risk assessment"

Risk assessments prioritize security investments based on business impact.

Risk formula

Risk = Likelihood × Impact

Assessment steps

  1. Identify assets: Systems, data, processes.
  2. Identify threats: Ransomware, insider threats, natural disasters.
  3. Identify vulnerabilities: Unpatched software, weak controls.
  4. Analyze likelihood: Probability of exploitation.
  5. Analyze impact: Business consequences if realized.
  6. Calculate risk: Combine likelihood and impact.
  7. Prioritize: Focus on high-risk scenarios.

Risk treatment options

  • Avoid: Eliminate the activity.
  • Mitigate: Implement controls to reduce risk.
  • Transfer: Insurance or outsourcing.
  • Accept: Acknowledge and monitor.

Frameworks

  • NIST RMF (Risk Management Framework).
  • ISO 27005 (Information Security Risk Management).
  • FAIR (Factor Analysis of Information Risk).

Related Tools

Related Articles

View all articles
Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.

Read article →
Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compare leading compliance automation platforms including Vanta, Drata, Secureframe, Sprinto, and Thoropass. Evaluate features, pricing, integrations, and framework support to choose the right GRC tool for your organization's SOC 2, ISO 27001, and HIPAA compliance needs.

Read article →

Explore More Risk & Resilience

View all terms

Business Impact Analysis (BIA)

An assessment that identifies critical business processes and quantifies the impact of their disruption.

Read more →

Cyber Insurance

Insurance coverage that protects organizations against financial losses from cyberattacks and data breaches.

Read more →

Data Breach Cost

The total financial impact of a security incident, including detection, response, notification, and long-term damages.

Read more →

Incident Response Plan (IRP)

A documented, tested approach for detecting, containing, and recovering from cybersecurity incidents.

Read more →

MITRE ATT&CK Framework

A globally accessible knowledge base of adversary tactics, techniques, and procedures mapped to the attack lifecycle.

Read more →

Ransomware

Malware that encrypts systems or exfiltrates data, demanding payment to restore access or prevent disclosure.

Read more →
Back to glossary