Risk assessments prioritize security investments based on business impact.
Risk formula
Risk = Likelihood × Impact
Assessment steps
- Identify assets: Systems, data, processes.
- Identify threats: Ransomware, insider threats, natural disasters.
- Identify vulnerabilities: Unpatched software, weak controls.
- Analyze likelihood: Probability of exploitation.
- Analyze impact: Business consequences if realized.
- Calculate risk: Combine likelihood and impact.
- Prioritize: Focus on high-risk scenarios.
Risk treatment options
- Avoid: Eliminate the activity.
- Mitigate: Implement controls to reduce risk.
- Transfer: Insurance or outsourcing.
- Accept: Acknowledge and monitor.
Frameworks
- NIST RMF (Risk Management Framework).
- ISO 27005 (Information Security Risk Management).
- FAIR (Factor Analysis of Information Risk).
Related Tools
Explore More Risk & Resilience
View all termsBusiness Impact Analysis (BIA)
An assessment that identifies critical business processes and quantifies the impact of their disruption.
Read more →Cyber Insurance
Insurance coverage that protects organizations against financial losses from cyberattacks and data breaches.
Read more →Data Breach Cost
The total financial impact of a security incident, including detection, response, notification, and long-term damages.
Read more →Incident Response Plan (IRP)
A documented, tested approach for detecting, containing, and recovering from cybersecurity incidents.
Read more →MITRE ATT&CK Framework
A globally accessible knowledge base of adversary tactics, techniques, and procedures mapped to the attack lifecycle.
Read more →Ransomware
Malware that encrypts systems or exfiltrates data, demanding payment to restore access or prevent disclosure.
Read more →