Home/Glossary/Risk Assessment

Risk Assessment

A systematic process of identifying, analyzing, and evaluating cybersecurity risks to inform treatment decisions.

Risk & ResilienceAlso called: "cyber risk assessment", "information security risk assessment"

Risk assessments prioritize security investments based on business impact.

Risk formula

Risk = Likelihood × Impact

Assessment steps

  1. Identify assets: Systems, data, processes.
  2. Identify threats: Ransomware, insider threats, natural disasters.
  3. Identify vulnerabilities: Unpatched software, weak controls.
  4. Analyze likelihood: Probability of exploitation.
  5. Analyze impact: Business consequences if realized.
  6. Calculate risk: Combine likelihood and impact.
  7. Prioritize: Focus on high-risk scenarios.

Risk treatment options

  • Avoid: Eliminate the activity.
  • Mitigate: Implement controls to reduce risk.
  • Transfer: Insurance or outsourcing.
  • Accept: Acknowledge and monitor.

Frameworks

  • NIST RMF (Risk Management Framework).
  • ISO 27005 (Information Security Risk Management).
  • FAIR (Factor Analysis of Information Risk).

Related Tools

Related Articles

View all articles
Compliance Frameworks Complete Guide: HIPAA, SOC 2, ISO 27001, PCI-DSS & NIST

Compliance Frameworks Complete Guide: HIPAA, SOC 2, ISO 27001, PCI-DSS & NIST

Master IT compliance frameworks including HIPAA, SOC 2, ISO 27001, PCI-DSS, NIST, and GDPR. Complete guide with framework comparison, selection criteria, implementation roadmaps, and control mapping strategies.

Read article →
Shadow IT in the Cloud: Discovery, Risk Assessment, and Governance Strategies

Shadow IT in the Cloud: Discovery, Risk Assessment, and Governance Strategies

Employees adopt cloud services faster than IT can approve them. Learn how to discover shadow IT, assess risks, and implement governance that enables innovation while protecting the organization.

Read article →
Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud Penetration Testing: A Complete Guide for AWS, Azure, and GCP

Cloud penetration testing requires different approaches than traditional network testing. Learn cloud provider policies, testing methodologies, and common findings across AWS, Azure, and GCP environments.

Read article →
Security Awareness Training That Actually Works: Building a Security-First Culture

Security Awareness Training That Actually Works: Building a Security-First Culture

Most security awareness programs check compliance boxes but don't change behavior. Learn how to build training that engages employees, reduces risk, and creates lasting security culture.

Read article →

Explore More Risk & Resilience

View all terms

Business Impact Analysis (BIA)

An assessment that identifies critical business processes and quantifies the impact of their disruption.

Read more →

Cyber Insurance

Insurance coverage that protects organizations against financial losses from cyberattacks and data breaches.

Read more →

Data Breach Cost

The total financial impact of a security incident, including detection, response, notification, and long-term damages.

Read more →

Incident Response Plan (IRP)

A documented, tested approach for detecting, containing, and recovering from cybersecurity incidents.

Read more →

MITRE ATT&CK Framework

A globally accessible knowledge base of adversary tactics, techniques, and procedures mapped to the attack lifecycle.

Read more →

Ransomware

Malware that encrypts systems or exfiltrates data, demanding payment to restore access or prevent disclosure.

Read more →
Back to glossary