Opening Framing
Every organization faces more security risks than it can possibly address with available resources. Risk assessment provides a systematic method for identifying, analyzing, and prioritizing risks so that security investments target what matters most. Without structured risk assessment, organizations either spread resources too thin trying to protect everything, or make decisions based on gut feeling, headlines, or vendor marketing rather than actual risk.
Risk assessment isn't a one-time activity—it's an ongoing process that must evolve as the business changes, new threats emerge, and the technology landscape shifts. Effective risk assessment requires understanding assets and their value, threats that could affect them, vulnerabilities that could be exploited, and existing controls that provide protection.
This week covers major risk assessment frameworks including NIST Risk Management Framework (RMF) and ISO 27005, asset identification and classification, threat identification, vulnerability assessment approaches, and building comprehensive risk assessments. You'll learn to systematically identify and document risks as the foundation for risk management decisions.
Key insight: Risk assessment is about making informed decisions under uncertainty, not achieving perfect knowledge.
1) Risk Fundamentals
Understanding risk terminology and concepts provides the foundation for effective risk assessment:
Risk Terminology:
CORE DEFINITIONS:
┌─────────────────────────────────────────────────────────────┐
│ RISK: │
│ The potential for loss or harm when a threat exploits │
│ a vulnerability to impact an asset. │
│ │
│ Risk = f(Threat, Vulnerability, Impact) │
│ │
│ Or more precisely: │
│ Risk = Likelihood × Impact │
│ │
│ Where Likelihood = f(Threat Capability, Vulnerability) │
└─────────────────────────────────────────────────────────────┘
KEY COMPONENTS:
┌─────────────────────────────────────────────────────────────┐
│ ASSET: │
│ Something of value to the organization │
│ - Data (customer info, intellectual property, financials) │
│ - Systems (servers, applications, networks) │
│ - People (employees, contractors) │
│ - Facilities (offices, data centers) │
│ - Reputation (brand, customer trust) │
│ │
│ THREAT: │
│ A potential cause of unwanted impact │
│ - Threat actors (hackers, insiders, nation-states) │
│ - Natural events (disasters, pandemics) │
│ - Accidents (human error, equipment failure) │
│ │
│ VULNERABILITY: │
│ A weakness that can be exploited by a threat │
│ - Technical (unpatched software, misconfigurations) │
│ - Process (lack of procedures, weak controls) │
│ - Human (susceptibility to phishing, errors) │
│ │
│ IMPACT: │
│ The consequence when a risk materializes │
│ - Financial (direct costs, fines, lost revenue) │
│ - Operational (downtime, productivity loss) │
│ - Reputational (brand damage, customer loss) │
│ - Legal/Regulatory (penalties, lawsuits) │
│ - Safety (physical harm) │
│ │
│ CONTROL: │
│ A measure that modifies risk │
│ - Preventive (stop incidents from occurring) │
│ - Detective (identify incidents when they occur) │
│ - Corrective (respond to and recover from incidents) │
└─────────────────────────────────────────────────────────────┘
RISK EQUATION ILLUSTRATED:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌──────────────┐ │
│ │ THREAT │──────┐ │
│ │ (Attacker) │ │ │
│ └──────────────┘ │ │
│ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │VULNERABILITY │─►│ ASSET │─►│ IMPACT │ │
│ │ (Weakness) │ │ (Value) │ │ (Consequence)│ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ Threat exploits vulnerability to harm asset causing impact│
│ │
│ ┌──────────────┐ │
│ │ CONTROL │ Reduces likelihood or impact │
│ │(Safeguard) │ │
│ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘Types of Risk:
Risk Categories:
BY SOURCE:
┌─────────────────────────────────────────────────────────────┐
│ External Risks: │
│ - Cyber attacks (ransomware, data breaches) │
│ - Natural disasters │
│ - Supply chain disruption │
│ - Regulatory changes │
│ - Economic conditions │
│ │
│ Internal Risks: │
│ - Insider threats (malicious or negligent) │
│ - Process failures │
│ - Technology failures │
│ - Human error │
│ - Organizational change │
└─────────────────────────────────────────────────────────────┘
BY TREATMENT STATUS:
┌─────────────────────────────────────────────────────────────┐
│ Inherent Risk: │
│ Risk level before any controls are applied │
│ The "raw" risk that exists naturally │
│ │
│ Residual Risk: │
│ Risk level remaining after controls are applied │
│ What you actually live with day-to-day │
│ │
│ Target Risk: │
│ Desired risk level after planned controls │
│ What you're working toward │
│ │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ Inherent ──► Controls Applied ──► Residual │ │
│ │ Risk Risk │ │
│ │ (High) (Lower) │ │
│ │ │ │
│ │ If Residual > Risk Appetite, more controls needed │ │
│ │ │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
RISK APPETITE vs TOLERANCE:
┌─────────────────────────────────────────────────────────────┐
│ Risk Appetite: │
│ - Strategic level of risk organization is willing to accept │
│ - Set by board/executives │
│ - Guides overall risk-taking behavior │
│ - Example: "We will not accept risks that could result │
│ in regulatory sanctions" │
│ │
│ Risk Tolerance: │
│ - Tactical acceptable variation from appetite │
│ - Operational boundaries │
│ - Example: "Critical vulnerabilities must be remediated │
│ within 7 days" │
│ │
│ Risk Threshold: │
│ - Specific trigger point requiring action │
│ - Example: "Any risk rated 'Critical' requires executive │
│ review within 24 hours" │
└─────────────────────────────────────────────────────────────┘Key insight: Risk is never zero. The goal is to reduce risk to acceptable levels within available resources.
2) NIST Risk Management Framework
The NIST Risk Management Framework provides a comprehensive, structured approach to managing security and privacy risk:
NIST RMF Overview:
RMF LIFECYCLE:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌───────────┐ │
│ │ PREPARE │ │
│ │ │ │
│ └─────┬─────┘ │
│ │ │
│ ▼ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ MONITOR │◄───│CATEGORIZE │───►│ SELECT │ │
│ │ │ │ │ │ │ │
│ └─────┬─────┘ └───────────┘ └─────┬─────┘ │
│ │ │ │
│ │ ▼ │
│ ┌─────┴─────┐ ┌───────────┐ │
│ │ AUTHORIZE │◄───────────────────│ IMPLEMENT │ │
│ │ │ │ │ │
│ └─────┬─────┘ └─────┬─────┘ │
│ │ │ │
│ │ ┌───────────┐ │ │
│ └────────►│ ASSESS │◄─────────┘ │
│ │ │ │
│ └───────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
STEP 1: PREPARE
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Establish context and priorities │
│ │
│ Organization-Level: │
│ - Define risk management strategy │
│ - Establish risk tolerance │
│ - Identify key stakeholders │
│ - Allocate resources │
│ - Develop organization-wide risk assessment │
│ │
│ System-Level: │
│ - Identify system boundaries │
│ - Identify stakeholders │
│ - Define authorization boundary │
│ - Register system │
│ - Assign roles │
└─────────────────────────────────────────────────────────────┘
STEP 2: CATEGORIZE
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Determine impact levels for confidentiality, │
│ integrity, and availability │
│ │
│ Activities: │
│ - Identify information types │
│ - Determine impact for each security objective │
│ - Assign system categorization (Low, Moderate, High) │
│ - Document in System Security Plan │
│ │
│ FIPS 199 Impact Levels: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ LOW: Limited adverse effect │ │
│ │ - Minor damage to assets │ │
│ │ - Minor financial loss │ │
│ │ - Minor harm to individuals │ │
│ │ │ │
│ │ MODERATE: Serious adverse effect │ │
│ │ - Significant damage to assets │ │
│ │ - Significant financial loss │ │
│ │ - Significant harm to individuals │ │
│ │ │ │
│ │ HIGH: Severe or catastrophic adverse effect │ │
│ │ - Major damage to assets │ │
│ │ - Major financial loss │ │
│ │ - Severe harm to individuals │ │
│ │ - Loss of life │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
STEP 3: SELECT
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Choose and tailor security controls │
│ │
│ Activities: │
│ - Select baseline controls (NIST SP 800-53) │
│ - Tailor controls to environment │
│ - Add supplemental controls as needed │
│ - Document control selections │
│ │
│ Control Baselines: │
│ - Low baseline: ~130 controls │
│ - Moderate baseline: ~260 controls │
│ - High baseline: ~360 controls │
└─────────────────────────────────────────────────────────────┘
STEP 4: IMPLEMENT
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Put controls into operation │
│ │
│ Activities: │
│ - Implement selected controls │
│ - Document implementation details │
│ - Update System Security Plan │
└─────────────────────────────────────────────────────────────┘
STEP 5: ASSESS
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Evaluate control effectiveness │
│ │
│ Activities: │
│ - Develop assessment plan │
│ - Conduct control assessments │
│ - Document findings │
│ - Develop remediation plan │
│ - Produce Security Assessment Report │
└─────────────────────────────────────────────────────────────┘
STEP 6: AUTHORIZE
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Accept residual risk │
│ │
│ Activities: │
│ - Prepare authorization package │
│ - Risk determination │
│ - Authorization decision (ATO, DATO, or Denial) │
│ - Document decision │
│ │
│ Authorization Decisions: │
│ - ATO: Authority to Operate (approved) │
│ - DATO: Denial of Authority to Operate │
│ - ATO with conditions (approved with requirements) │
└─────────────────────────────────────────────────────────────┘
STEP 7: MONITOR
┌─────────────────────────────────────────────────────────────┐
│ Purpose: Maintain ongoing awareness │
│ │
│ Activities: │
│ - Monitor control effectiveness │
│ - Track changes to system │
│ - Assess impact of changes │
│ - Report security status │
│ - Ongoing authorization │
└─────────────────────────────────────────────────────────────┘Key insight: NIST RMF is mandatory for US federal systems and widely adopted in private sector for its comprehensive approach.
3) ISO 27005 Risk Management
ISO 27005 provides guidance on information security risk management aligned with ISO 27001:
ISO 27005 Risk Management Process:
PROCESS OVERVIEW:
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ CONTEXT ESTABLISHMENT │ │
│ │ - Define scope and boundaries │ │
│ │ - Establish risk criteria │ │
│ │ - Define risk acceptance criteria │ │
│ └───────────────────────┬─────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ RISK ASSESSMENT │ │
│ │ ┌─────────────────────────────────────────────┐ │ │
│ │ │ Risk Identification │ │ │
│ │ │ - Identify assets │ │ │
│ │ │ - Identify threats │ │ │
│ │ │ - Identify existing controls │ │ │
│ │ │ - Identify vulnerabilities │ │ │
│ │ │ - Identify consequences │ │ │
│ │ └─────────────────────────────────────────────┘ │ │
│ │ ┌─────────────────────────────────────────────┐ │ │
│ │ │ Risk Analysis │ │ │
│ │ │ - Assess likelihood │ │ │
│ │ │ - Assess impact │ │ │
│ │ │ - Determine risk level │ │ │
│ │ └─────────────────────────────────────────────┘ │ │
│ │ ┌─────────────────────────────────────────────┐ │ │
│ │ │ Risk Evaluation │ │ │
│ │ │ - Compare against criteria │ │ │
│ │ │ - Prioritize risks │ │ │
│ │ └─────────────────────────────────────────────┘ │ │
│ └───────────────────────┬─────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ RISK TREATMENT │ │
│ │ - Select treatment options │ │
│ │ - Implement controls │ │
│ │ - Accept residual risk │ │
│ └───────────────────────┬─────────────────────────────┘ │
│ │ │
│ ◄──── RISK COMMUNICATION AND CONSULTATION ────► │
│ ◄──── RISK MONITORING AND REVIEW ────► │
│ │
└─────────────────────────────────────────────────────────────┘
CONTEXT ESTABLISHMENT:
┌─────────────────────────────────────────────────────────────┐
│ External Context: │
│ - Regulatory environment │
│ - Competitive landscape │
│ - Stakeholder expectations │
│ - Social/cultural factors │
│ │
│ Internal Context: │
│ - Organizational objectives │
│ - Risk appetite │
│ - Resources and capabilities │
│ - Culture and governance │
│ │
│ Risk Criteria: │
│ - Impact criteria (what constitutes low/medium/high impact) │
│ - Likelihood criteria (how to assess probability) │
│ - Risk acceptance criteria (what levels are acceptable) │
│ - Prioritization criteria (how to rank risks) │
└─────────────────────────────────────────────────────────────┘
RISK IDENTIFICATION:
┌─────────────────────────────────────────────────────────────┐
│ Asset Identification: │
│ - Primary assets (business processes, information) │
│ - Supporting assets (hardware, software, network, people) │
│ - Asset valuation (importance to business) │
│ │
│ Threat Identification: │
│ - Threat sources (who/what) │
│ - Threat events (what could happen) │
│ - Historical incidents │
│ - Threat intelligence │
│ │
│ Vulnerability Identification: │
│ - Technical vulnerabilities │
│ - Process weaknesses │
│ - Human factors │
│ - Physical vulnerabilities │
│ │
│ Existing Controls: │
│ - What's already in place │
│ - Effectiveness assessment │
│ - Coverage gaps │
└─────────────────────────────────────────────────────────────┘Comparison: NIST RMF vs ISO 27005:
Framework Comparison:
┌─────────────────────┬──────────────────┬──────────────────────┐
│ Aspect │ NIST RMF │ ISO 27005 │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Origin │ US Government │ International (ISO) │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Mandatory for │ US Federal │ ISO 27001 certified │
│ │ systems │ organizations │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Control Catalog │ NIST SP 800-53 │ ISO 27001 Annex A │
│ │ (detailed) │ (high-level) │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Approach │ System-focused │ Organization-focused │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Authorization │ Formal ATO │ Statement of │
│ │ process │ Applicability │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Documentation │ Prescriptive │ Flexible │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Best For │ Government, │ Global companies, │
│ │ defense │ ISO certification │
├─────────────────────┼──────────────────┼──────────────────────┤
│ Cost │ Free │ Standards must be │
│ │ │ purchased │
└─────────────────────┴──────────────────┴──────────────────────┘
WHEN TO USE WHICH:
┌─────────────────────────────────────────────────────────────┐
│ Use NIST RMF when: │
│ - Working with US federal government │
│ - Need detailed, prescriptive guidance │
│ - Prefer free, publicly available resources │
│ - Want comprehensive control catalog │
│ │
│ Use ISO 27005 when: │
│ - Pursuing ISO 27001 certification │
│ - Operating internationally │
│ - Need flexibility in implementation │
│ - Aligning with ISO management system standards │
│ │
│ Many organizations use both: │
│ - ISO 27005 process with NIST 800-53 controls │
│ - Framework mapping for multiple compliance needs │
└─────────────────────────────────────────────────────────────┘Key insight: Frameworks provide structure, not answers. Adapt them to your organization's context and needs.
4) Asset Identification and Classification
You can't protect what you don't know about. Asset identification is the foundation of risk assessment:
Asset Identification:
ASSET CATEGORIES:
┌─────────────────────────────────────────────────────────────┐
│ Information Assets: │
│ - Customer data (PII, payment info, health records) │
│ - Intellectual property (source code, designs, patents) │
│ - Financial data (accounts, transactions, forecasts) │
│ - Employee data (HR records, payroll) │
│ - Business data (contracts, strategies, plans) │
│ │
│ Technology Assets: │
│ - Hardware (servers, endpoints, network devices) │
│ - Software (applications, operating systems, databases) │
│ - Cloud services (IaaS, PaaS, SaaS) │
│ - Network infrastructure (firewalls, routers, links) │
│ │
│ Physical Assets: │
│ - Facilities (offices, data centers, warehouses) │
│ - Equipment (manufacturing, medical devices) │
│ - Storage media (backup tapes, removable drives) │
│ │
│ Human Assets: │
│ - Employees with critical knowledge │
│ - Key personnel (executives, specialists) │
│ - External dependencies (contractors, vendors) │
│ │
│ Intangible Assets: │
│ - Reputation and brand │
│ - Customer relationships │
│ - Regulatory standing │
└─────────────────────────────────────────────────────────────┘
ASSET INVENTORY ATTRIBUTES:
┌─────────────────────────────────────────────────────────────┐
│ For each asset, document: │
│ │
│ Identification: │
│ - Asset name and description │
│ - Asset ID/identifier │
│ - Location (physical and logical) │
│ - Asset type and category │
│ │
│ Ownership: │
│ - Business owner (accountable) │
│ - Technical owner/custodian (responsible) │
│ - Department/business unit │
│ │
│ Value: │
│ - Business criticality │
│ - Data classification │
│ - Replacement cost │
│ - Business impact of loss │
│ │
│ Dependencies: │
│ - What depends on this asset │
│ - What this asset depends on │
│ - Integration points │
│ │
│ Security: │
│ - Confidentiality requirements │
│ - Integrity requirements │
│ - Availability requirements │
│ - Existing controls │
└─────────────────────────────────────────────────────────────┘Data Classification:
Data Classification Scheme:
TYPICAL CLASSIFICATION LEVELS:
┌─────────────────────────────────────────────────────────────┐
│ │
│ PUBLIC │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Marketing materials, public website content │ │
│ │ - No business impact if disclosed │ │
│ │ - No special handling required │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ INTERNAL │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Internal communications, policies, procedures │ │
│ │ - Minor impact if disclosed │ │
│ │ - Basic access controls required │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ CONFIDENTIAL │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Customer data, employee PII, financial data │ │
│ │ - Significant impact if disclosed │ │
│ │ - Encryption, access controls, audit logging │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ RESTRICTED │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ - Trade secrets, M&A data, executive communications │ │
│ │ - Severe impact if disclosed │ │
│ │ - Strict need-to-know, enhanced encryption, DLP │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
CLASSIFICATION CRITERIA:
┌─────────────────────────────────────────────────────────────┐
│ Consider impact to: │
│ │
│ - Legal/regulatory compliance │
│ Would disclosure violate laws or regulations? │
│ │
│ - Financial position │
│ Would disclosure cause financial harm? │
│ │
│ - Reputation │
│ Would disclosure damage brand or trust? │
│ │
│ - Operations │
│ Would disclosure disrupt business operations? │
│ │
│ - Competitive advantage │
│ Would disclosure benefit competitors? │
│ │
│ - Personal harm │
│ Would disclosure harm individuals? │
└─────────────────────────────────────────────────────────────┘
HANDLING REQUIREMENTS BY CLASSIFICATION:
┌────────────────┬───────┬──────────┬─────────────┬───────────┐
│ Control │Public │ Internal │Confidential │Restricted │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Access Control │ No │ Yes │ Yes │ Strict │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Encryption Rest│ No │Optional │ Yes │ Yes+Key │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Encryption Trns│ No │Optional │ Yes │ Yes │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Audit Logging │ No │ Basic │ Full │ Enhanced │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Data Loss Prev │ No │ No │ Yes │ Yes │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Backup │Optional│ Yes │ Yes │ Yes │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Retention Rule │ No │ Yes │ Yes │ Yes │
├────────────────┼───────┼──────────┼─────────────┼───────────┤
│ Disposal │Normal │ Secure │ Secure │ Certified │
└────────────────┴───────┴──────────┴─────────────┴───────────┘Key insight: Classification determines protection requirements. Over-classification wastes resources; under-classification creates risk.
5) Threat and Vulnerability Identification
Understanding threats and vulnerabilities enables realistic risk assessment:
Threat Identification:
THREAT SOURCE CATEGORIES:
┌─────────────────────────────────────────────────────────────┐
│ Adversarial (Intentional): │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Nation-State Actors │ │
│ │ - Advanced capabilities, significant resources │ │
│ │ - Espionage, sabotage, strategic disruption │ │
│ │ - Targets: Government, critical infrastructure, IP │ │
│ │ │ │
│ │ Organized Crime │ │
│ │ - Financially motivated │ │
│ │ - Ransomware, fraud, data theft for sale │ │
│ │ - Targets: Any with valuable data or willingness to pay │ │
│ │ │ │
│ │ Hacktivists │ │
│ │ - Ideologically motivated │ │
│ │ - Defacement, DDoS, data leaks │ │
│ │ - Targets: Politically controversial organizations │ │
│ │ │ │
│ │ Insiders │ │
│ │ - Current/former employees, contractors │ │
│ │ - Theft, sabotage, espionage │ │
│ │ - Privileged access, knowledge of systems │ │
│ │ │ │
│ │ Competitors │ │
│ │ - Corporate espionage │ │
│ │ - IP theft, customer data │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Non-Adversarial (Unintentional): │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Human Error │ │
│ │ - Misconfigurations, accidental disclosure │ │
│ │ - Lost devices, weak passwords │ │
│ │ │ │
│ │ System/Equipment Failure │ │
│ │ - Hardware failure, software bugs │ │
│ │ - Capacity exhaustion │ │
│ │ │ │
│ │ Natural Events │ │
│ │ - Disasters (fire, flood, earthquake) │ │
│ │ - Power outages, environmental │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
THREAT INTELLIGENCE SOURCES:
┌─────────────────────────────────────────────────────────────┐
│ External Sources: │
│ - CISA alerts and advisories │
│ - Industry ISACs (Information Sharing and Analysis Centers) │
│ - Commercial threat intelligence feeds │
│ - Vendor security bulletins │
│ - Security news and research │
│ │
│ Internal Sources: │
│ - Historical incident data │
│ - Security monitoring and detection │
│ - Penetration test results │
│ - Employee reports │
└─────────────────────────────────────────────────────────────┘Vulnerability Assessment:
Vulnerability Identification Methods:
TECHNICAL VULNERABILITY ASSESSMENT:
┌─────────────────────────────────────────────────────────────┐
│ Automated Scanning: │
│ - Network vulnerability scanners (Nessus, Qualys) │
│ - Web application scanners (Burp, OWASP ZAP) │
│ - Container scanners (Trivy, Clair) │
│ - Cloud security posture (CSPM tools) │
│ - Code analysis (SAST, SCA) │
│ │
│ Manual Assessment: │
│ - Penetration testing │
│ - Red team exercises │
│ - Code review │
│ - Architecture review │
│ │
│ Passive Discovery: │
│ - Configuration review │
│ - Log analysis │
│ - Network traffic analysis │
└─────────────────────────────────────────────────────────────┘
PROCESS AND HUMAN VULNERABILITIES:
┌─────────────────────────────────────────────────────────────┐
│ Process Assessment: │
│ - Gap analysis against frameworks │
│ - Policy and procedure review │
│ - Control effectiveness testing │
│ - Incident response exercises │
│ │
│ Human Vulnerability Assessment: │
│ - Phishing simulations │
│ - Social engineering tests │
│ - Security awareness assessments │
│ - Access review findings │
│ │
│ Physical Assessment: │
│ - Physical security review │
│ - Access control testing │
│ - Environmental assessment │
└─────────────────────────────────────────────────────────────┘
VULNERABILITY PRIORITIZATION:
┌─────────────────────────────────────────────────────────────┐
│ Consider: │
│ │
│ Exploitability: │
│ - Is there a known exploit? │
│ - Is it being actively exploited in the wild? │
│ - How difficult is exploitation? │
│ │
│ Exposure: │
│ - Is the vulnerable system internet-facing? │
│ - What network position? │
│ - Who has access? │
│ │
│ Asset Value: │
│ - What's the classification of data involved? │
│ - How critical is the system? │
│ - What's the business impact? │
│ │
│ Compensating Controls: │
│ - Are there other controls reducing risk? │
│ - Can the vulnerability be mitigated without patching? │
│ │
│ Popular Framework: CVSS + Context │
│ CVSS alone is insufficient - add your context │
└─────────────────────────────────────────────────────────────┘Key insight: Vulnerability counts are meaningless without context. One critical vulnerability on an internet-facing system with sensitive data matters more than 1000 low-severity findings on isolated systems.
Real-World Context
Case Study: Equifax Risk Assessment Failures
The 2017 Equifax breach exposed 147 million records due to an unpatched Apache Struts vulnerability. Investigation revealed multiple risk assessment failures: the vulnerable system wasn't in the asset inventory, vulnerability scans missed it, the certificate for the inspection tool had expired (so traffic wasn't being monitored), and there was no clear ownership of the system. A proper risk assessment would have identified the system as high-value (containing massive PII), identified the vulnerability as critical (known exploit, internet-facing), and prioritized remediation. The incident cost Equifax over $1.4 billion and demonstrated how risk assessment failures enable breaches.
Case Study: Shadow IT Risk
A healthcare organization conducted a risk assessment but only covered IT-managed systems. Business units had deployed numerous SaaS applications containing patient data, including file sharing, project management, and communication tools. These weren't in the asset inventory and weren't assessed. A breach occurred through one of these shadow IT applications. Post-incident, the organization implemented cloud access security broker (CASB) technology to discover shadow IT and expanded their risk assessment to include all data repositories, not just IT-managed systems.
Risk Assessment Quick Reference:
Risk Assessment Checklist:
PREPARATION:
□ Define scope and boundaries
□ Establish risk criteria
□ Identify stakeholders
□ Gather threat intelligence
□ Obtain asset inventory
ASSET IDENTIFICATION:
□ Information assets identified
□ Technology assets inventoried
□ Physical assets documented
□ Human assets considered
□ Asset owners assigned
□ Data classification applied
□ Criticality ratings assigned
THREAT IDENTIFICATION:
□ Adversarial threats identified
□ Non-adversarial threats considered
□ Industry-specific threats included
□ Historical incidents reviewed
□ Threat intelligence incorporated
VULNERABILITY IDENTIFICATION:
□ Technical scans completed
□ Process gaps identified
□ Human vulnerabilities assessed
□ Physical vulnerabilities reviewed
□ Configuration weaknesses documented
DOCUMENTATION:
□ Risk register created
□ Threat scenarios documented
□ Asset inventory updated
□ Findings prioritized
□ Stakeholders briefedRisk assessment is only as good as its inputs. Incomplete asset inventories and outdated threat intelligence produce incomplete risk pictures.
Metrics Deep Dive: Risk Register Health
Risk programs fail when the register is stale. Track these indicators to prove risk decisions are current and acted on.
Risk Register Metrics:
- % of critical assets with assigned owners
- % of high risks with mitigation plans
- Mean time to close high risks
- Risk acceptance rate vs mitigation rate
- Overdue remediation actions (count + age)
- Residual risk trend by business unit
Reporting Guidance:
Use trends, not snapshots. A decreasing high-risk
backlog matters more than a single-point score.Guided Lab: Risk Assessment
In this lab, you'll conduct a risk assessment for a scenario organization using structured methodology.
Lab Scenario:
- E-commerce company processing credit cards
- Cloud-hosted infrastructure (AWS)
- 500,000 customer records
- 50 employees, 10 developers
- Subject to PCI DSS compliance
Exercise Steps:
- Define assessment scope and criteria
- Create asset inventory with classification
- Identify relevant threats
- Identify potential vulnerabilities
- Map threats to assets
- Document risk scenarios
- Create initial risk register
Reflection Questions:
- How did you prioritize which assets to focus on?
- What threats did you consider most relevant and why?
- What information was missing that would improve the assessment?
Week Outcome Check
By the end of this week, you should be able to:
- Define key risk terminology (threat, vulnerability, impact, likelihood)
- Explain the difference between inherent and residual risk
- Describe the NIST RMF steps and their purpose
- Explain the ISO 27005 risk management process
- Create asset inventories with appropriate attributes
- Apply data classification schemes
- Identify and categorize threats relevant to an organization
- Conduct vulnerability identification using multiple methods
🎯 Hands-On Labs (Free & Essential)
Master risk assessment with practical framework application and real-world scenarios.
🎯 NIST RMF Implementation Lab
What you'll do: Apply NIST Risk Management Framework—complete categorization,
control selection, assessment, and authorization steps.
Why it matters: NIST RMF is mandatory for federal systems and widely
adopted commercially.
Time estimate: 3-4 hours
📊 Risk Assessment Simulation
What you'll do: Conduct comprehensive risk assessments—identify assets,
threats, vulnerabilities, and calculate risk scores.
Why it matters: Risk assessment is the foundation of effective security
programs.
Time estimate: 3-4 hours
🔍 ISO 27005 Risk Assessment
What you'll do: Practice ISO 27005 risk assessment methodology—context
establishment, risk identification, analysis, evaluation.
Why it matters: ISO 27005 is the international standard for information
security risk management.
Time estimate: 2-3 hours
📈 Risk Register KPI Dashboard
What you'll do: Build a risk register scorecard with KPIs for ownership,
closure time, and overdue remediation.
Why it matters: Metrics turn risk analysis into measurable action.
Time estimate: 1-2 hours
💡 Lab Strategy: Risk assessment requires judgment—practice with multiple scenarios to build intuition for risk prioritization.
Resources
Lab
Complete the following lab exercises to practice risk assessment concepts.