100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Python

Risk Assessment Basics

Understand how to calculate risk as likelihood times impact and choose between accepting, mitigating, transferring, or avoiding it.

Governance, Risk & ComplianceBeginner10 min readJul 8, 2026
Analogies

Introduction

Organizations face far more potential security problems than they could ever fix at once, so they need a structured way to decide what to work on first. Risk assessment is the process of identifying threats and vulnerabilities, estimating how serious the resulting risk is, and deciding how to respond. It turns a vague sense of 'we should be more secure' into a prioritized, defensible plan.

🏏

Cricket analogy: A team can't fix every weakness before a World Cup — batting depth, death bowling, fielding lapses — all at once, so coaches use risk assessment to identify which flaw is most likely to be exploited by upcoming opponents and prioritize training time accordingly.

Explanation

At its core, risk is commonly expressed as: risk = likelihood x impact. Likelihood is how probable it is that a given threat will exploit a given vulnerability in a given timeframe, and impact is how much damage would result if it did — financial loss, reputational harm, regulatory penalties, or operational disruption. Both are usually rated on a simple scale (for example, 1-5 for low-to-high) so that different risks can be compared side by side, producing a risk score that helps decide what needs attention first. Once a risk has been identified and scored, the organization chooses a treatment: accept the risk (do nothing extra, because the cost of the risk is low enough to tolerate), mitigate it (reduce likelihood or impact through controls, such as patching a vulnerability or adding monitoring), transfer it (shift the financial consequences to a third party, most commonly through cyber insurance or a contractual clause with a vendor), or avoid it (eliminate the risk entirely by discontinuing the risky activity, such as retiring a legacy system that can no longer be secured).

🏏

Cricket analogy: A team rates the likelihood a part-time bowler gets hit for sixes (say 4 of 5) against the impact of losing the match because of it (say 5 of 5), producing a high risk score, and can choose to accept the occasional boundary, mitigate by adding a specialist, transfer by insuring against a lost sponsorship, or avoid by dropping that bowler entirely.

Example

text
Risk A: Unpatched public web server with a known critical vulnerability
  Likelihood: 5 (high  - actively exploited in the wild)
  Impact:     5 (high  - full system compromise, customer data exposure)
  Risk score: 5 x 5 = 25  -> Treatment: MITIGATE (patch immediately)

Risk B: Outdated software on an isolated internal test machine, no real data
  Likelihood: 2 (low   - not internet-facing, limited exposure)
  Impact:     1 (low   - no sensitive data, easily rebuilt)
  Risk score: 2 x 1 = 2   -> Treatment: ACCEPT (document and monitor)

Analysis

The worked example shows why risk assessment matters for prioritization: Risk A scores far higher than Risk B, so limited security resources should go to patching the public web server first, while the low-scoring internal risk can reasonably be accepted and simply tracked. In practice, most organizations use a combination of treatments across their risk portfolio rather than one approach for everything — critical risks get mitigated, catastrophic-but-rare risks (like a data breach lawsuit) often get transferred via cyber insurance, and risks tied to activities that provide little business value may simply be avoided. It's also important to note that treatment decisions are not one-time; residual risk (what remains after mitigation) should be reassessed periodically, since new threats, new assets, and changing business priorities all shift the risk landscape over time.

🏏

Cricket analogy: Just as a team prioritizes fixing a leaking death-overs bowling attack over a minor fielding weakness at deep third, since the first threatens far more matches, security teams patch the public web server first over a low-scoring internal issue, and reassess remaining weaknesses each season as conditions change.

Key Takeaways

  • Risk is typically calculated as likelihood x impact, producing a comparable score across different risks.
  • The four risk treatment options are accept, mitigate, transfer, and avoid.
  • Higher-scoring risks should be prioritized for mitigation over lower-scoring ones.
  • Risk assessment is ongoing — residual risk should be re-evaluated as circumstances change.

Practice what you learned

Was this page helpful?

Topics covered

#Python#CyberSecurityFundamentalsStudyNotes#CyberSecurity#RiskAssessmentBasics#Risk#Assessment#Explanation#Example#StudyNotes#SkillVeris