A risk assessment is a systematic process for identifying, analyzing, and evaluating cybersecurity risks to an organization. It determines what assets are at risk, what threats exist, what vulnerabilities could be exploited, and what the business impact would be if a risk materialized.
Risk assessment follows a structured methodology:
1. Asset Identification: Inventory all information assets, systems, data stores, and business processes. You cannot protect what you do not know you have.
2. Threat Identification: Determine what threats apply to your environment. Sources include threat intelligence feeds, industry-specific threat reports, historical incident data, and regulatory guidance.
3. Vulnerability Assessment: Identify weaknesses in systems, processes, and controls that could be exploited. Includes technical vulnerability scanning, configuration review, and process analysis.
4. Impact Analysis: Determine the business impact if each risk materializes. Measured in financial terms (direct costs, regulatory fines, lost revenue, reputational damage) or operational terms (downtime, data loss, safety impact).
5. Likelihood Assessment: Estimate the probability of each risk occurring. Factors include threat actor capability, vulnerability exploitability, existing controls, and historical frequency.
6. Risk Evaluation: Combine impact and likelihood to prioritize risks. Methods range from qualitative (High/Medium/Low matrices) to quantitative (FAIR framework, Monte Carlo simulation).
7. Risk Treatment: For each risk, choose: mitigate (implement controls), transfer (insurance), accept (documented decision), or avoid (eliminate the activity).
Risk assessment is the foundation of every cybersecurity program. Without it, security investments are based on vendor marketing rather than organizational risk:
Organizations that skip risk assessment overspend on low-priority areas and underspend on high-priority ones.
Risk assessment is the entry point for the RGA (Risk Governance and Assurance) domain. Mission RGA-R02 (Risk Register Baseline) establishes the organization's first formal risk register. The Perpetual Compliance Assurance (PCA) methodology treats risk assessment as a continuous process, not an annual checkbox.
CDA uses the FAIR (Factor Analysis of Information Risk) framework for quantitative risk analysis in mission RGA-H02, translating technical risks into financial terms that boards and executives can act on.