Skip to main content
Home/Glossary/Risk Assessment

Risk Assessment

A systematic process of identifying, analyzing, and evaluating cybersecurity risks to inform treatment decisions.

Risk & ResilienceAlso called: "cyber risk assessment", "information security risk assessment"

Risk assessments prioritize security investments based on business impact.

Risk formula

Risk = Likelihood × Impact

Assessment steps

  1. Identify assets: Systems, data, processes.
  2. Identify threats: Ransomware, insider threats, natural disasters.
  3. Identify vulnerabilities: Unpatched software, weak controls.
  4. Analyze likelihood: Probability of exploitation.
  5. Analyze impact: Business consequences if realized.
  6. Calculate risk: Combine likelihood and impact.
  7. Prioritize: Focus on high-risk scenarios.

Risk treatment options

  • Avoid: Eliminate the activity.
  • Mitigate: Implement controls to reduce risk.
  • Transfer: Insurance or outsourcing.
  • Accept: Acknowledge and monitor.

Frameworks

  • NIST RMF (Risk Management Framework).
  • ISO 27005 (Information Security Risk Management).
  • FAIR (Factor Analysis of Information Risk).

Related Tools

Related Articles

View all articles
Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

Physical Security & CPTED: The Complete Guide to Protecting Facilities, Data Centers, and Critical Assets

A comprehensive guide to physical security covering CPTED principles, security zones, access control, fire suppression, and environmental controls for protecting facilities and data centers.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Shadow IT in the Cloud: Discovery, Risk Assessment, and Governance Strategies

Shadow IT in the Cloud: Discovery, Risk Assessment, and Governance Strategies

Employees adopt cloud services faster than IT can approve them. Learn how to discover shadow IT, assess risks, and implement governance that enables innovation while protecting the organization.

Read article →
Cloud Security Assessment: A Complete Guide

Cloud Security Assessment: A Complete Guide

We uncover the hidden misconfigurations and over-permissioned access putting your cloud environment at risk — and show you exactly how to fix them, fast.

Read article →

Explore More Risk & Resilience

View all terms

Business Impact Analysis (BIA)

An assessment that identifies critical business processes and quantifies the impact of their disruption.

Read more →

Cyber Insurance

Insurance coverage that protects organizations against financial losses from cyberattacks and data breaches.

Read more →

Data Breach Cost

The total financial impact of a security incident, including detection, response, notification, and long-term damages.

Read more →

Incident Response Plan (IRP)

A documented, tested approach for detecting, containing, and recovering from cybersecurity incidents.

Read more →

MITRE ATT&CK Framework

A globally accessible knowledge base of adversary tactics, techniques, and procedures mapped to the attack lifecycle.

Read more →

Ransomware

Malware that encrypts systems or exfiltrates data, demanding payment to restore access or prevent disclosure.

Read more →
Back to glossary