Risk Assessment Fundamentals

Raw threat lists overwhelm rather than inform. Risk assessment transforms threat catalogs into prioritized action plans by evaluating each threat's likelihood and potential impact. This analysis must be systematic enough to be repeatable yet flexible enough to accommodate different types of threats and varying levels of available information.

Likelihood assessment combines multiple factors: threat actor capability and motivation, vulnerability exploitability, existing control effectiveness, and environmental factors. A SQL injection vulnerability in an internet-facing application has high likelihood due to automated scanning tools. The same vulnerability in an internal application accessed by few users has lower likelihood but isn't zero—insider threats and lateral movement must be considered.

Impact analysis extends beyond immediate technical consequences to business implications. Data breach impact includes notification costs, regulatory fines, lawsuits, and reputational damage. Service disruption impact encompasses lost revenue, productivity loss, and customer dissatisfaction. Intellectual property theft might destroy competitive advantage. Complete impact analysis considers both direct costs and indirect consequences.

Risk matrices visualize the relationship between likelihood and impact, helping prioritize threats. High-likelihood, high-impact threats demand immediate attention. Low-likelihood, low-impact threats might be accepted. The challenge lies in consistently evaluating threats and avoiding both paranoia (everything is high risk) and complacency (downplaying real risks).