Introduction
Organizations face far more potential security problems than they could ever fix at once, so they need a structured way to decide what to work on first. Risk assessment is the process of identifying threats and vulnerabilities, estimating how serious the resulting risk is, and deciding how to respond. It turns a vague sense of 'we should be more secure' into a prioritized, defensible plan.
Cricket analogy: A team can't fix every weakness before a World Cup — batting depth, death bowling, fielding lapses — all at once, so coaches use risk assessment to identify which flaw is most likely to be exploited by upcoming opponents and prioritize training time accordingly.
Explanation
At its core, risk is commonly expressed as: risk = likelihood x impact. Likelihood is how probable it is that a given threat will exploit a given vulnerability in a given timeframe, and impact is how much damage would result if it did — financial loss, reputational harm, regulatory penalties, or operational disruption. Both are usually rated on a simple scale (for example, 1-5 for low-to-high) so that different risks can be compared side by side, producing a risk score that helps decide what needs attention first. Once a risk has been identified and scored, the organization chooses a treatment: accept the risk (do nothing extra, because the cost of the risk is low enough to tolerate), mitigate it (reduce likelihood or impact through controls, such as patching a vulnerability or adding monitoring), transfer it (shift the financial consequences to a third party, most commonly through cyber insurance or a contractual clause with a vendor), or avoid it (eliminate the risk entirely by discontinuing the risky activity, such as retiring a legacy system that can no longer be secured).
Cricket analogy: A team rates the likelihood a part-time bowler gets hit for sixes (say 4 of 5) against the impact of losing the match because of it (say 5 of 5), producing a high risk score, and can choose to accept the occasional boundary, mitigate by adding a specialist, transfer by insuring against a lost sponsorship, or avoid by dropping that bowler entirely.
Example
Risk A: Unpatched public web server with a known critical vulnerability
Likelihood: 5 (high - actively exploited in the wild)
Impact: 5 (high - full system compromise, customer data exposure)
Risk score: 5 x 5 = 25 -> Treatment: MITIGATE (patch immediately)
Risk B: Outdated software on an isolated internal test machine, no real data
Likelihood: 2 (low - not internet-facing, limited exposure)
Impact: 1 (low - no sensitive data, easily rebuilt)
Risk score: 2 x 1 = 2 -> Treatment: ACCEPT (document and monitor)Analysis
The worked example shows why risk assessment matters for prioritization: Risk A scores far higher than Risk B, so limited security resources should go to patching the public web server first, while the low-scoring internal risk can reasonably be accepted and simply tracked. In practice, most organizations use a combination of treatments across their risk portfolio rather than one approach for everything — critical risks get mitigated, catastrophic-but-rare risks (like a data breach lawsuit) often get transferred via cyber insurance, and risks tied to activities that provide little business value may simply be avoided. It's also important to note that treatment decisions are not one-time; residual risk (what remains after mitigation) should be reassessed periodically, since new threats, new assets, and changing business priorities all shift the risk landscape over time.
Cricket analogy: Just as a team prioritizes fixing a leaking death-overs bowling attack over a minor fielding weakness at deep third, since the first threatens far more matches, security teams patch the public web server first over a low-scoring internal issue, and reassess remaining weaknesses each season as conditions change.
Key Takeaways
- Risk is typically calculated as likelihood x impact, producing a comparable score across different risks.
- The four risk treatment options are accept, mitigate, transfer, and avoid.
- Higher-scoring risks should be prioritized for mitigation over lower-scoring ones.
- Risk assessment is ongoing — residual risk should be re-evaluated as circumstances change.
Practice what you learned
1. How is risk typically calculated in a basic risk assessment?
2. Purchasing cyber insurance to cover the financial cost of a potential breach is an example of which risk treatment?
3. Decommissioning an unsupported legacy application that can no longer be patched is an example of which risk treatment?
4. In a risk assessment, a risk with likelihood 4 and impact 5 compared to a risk with likelihood 2 and impact 2 should generally be:
Was this page helpful?
You May Also Like
Security Policies and Governance
Learn how policies, standards, procedures, and guidelines work together to govern an organization's security program.
Vulnerability Management
Explore the continuous lifecycle of discovering, prioritizing, remediating, and verifying fixes for security vulnerabilities.
Incident Response Basics
Understand the standard incident response lifecycle used by security teams to detect, contain, and recover from security incidents.
Compliance Frameworks Overview
Get a conceptual overview of common compliance frameworks like ISO 27001, NIST CSF, SOC 2, GDPR, and HIPAA and what each covers.