An 8-stage framework for identifying and eliminating risk.
Risk assessment isn't a checkbox — it's the foundation of every security decision I make. This page documents my personal framework for identifying, analyzing, and mitigating cyber risk across enterprise environments. Aligned with ISO 27001, NIST, and COSO standards.
Inventory every piece of hardware, software, network segment, and data repository that requires protection. You cannot defend what you don't know exists — a complete asset register is the bedrock of every subsequent step.
Map the threat landscape specific to your environment — malware, phishing, ransomware, insider threats, and supply chain compromise. Generic threat lists aren't enough; threat identification must be grounded in your industry, geography, and asset profile.
Surface weaknesses across configurations, access controls, software versions, and human factors. Vulnerabilities aren't just CVEs — they include misconfigured firewall rules, excessive permissions, and a workforce that hasn't been phishing-tested in 12 months.
Evaluate the realistic probability of each threat-vulnerability pair being exploited, factoring in threat actor capabilities, attack frequency data, and current defensive measures. Likelihood is not intuition — it must be scored against repeatable criteria.
Estimate the potential damage across four dimensions: financial loss, operational downtime, data theft and regulatory exposure, and long-term reputational damage. Impact scoring without financial context fails to drive executive buy-in or appropriate budget allocation.
Combine likelihood and impact scores into a single risk rating. This produces a prioritized, defensible register that drives resource allocation. Not all risks are equal — the matrix forces honest prioritization over gut feelings.
Scored on a 5×5 matrix — values from 1 (minimal) to 25 (critical). Anything ≥ 15 requires immediate treatment.
| LIKELIHOOD ↓ / IMPACT → | 1 — Minimal | 2 — Minor | 3 — Moderate | 4 — Major | 5 — Critical |
|---|---|---|---|---|---|
| 5 — Almost Certain | 5 | 10 | 15 | 20 | 25 |
| 4 — Likely | 4 | 8 | 12 | 16 | 20 |
| 3 — Possible | 3 | 6 | 9 | 12 | 15 |
| 2 — Unlikely | 2 | 4 | 6 | 8 | 10 |
| 1 — Rare | 1 | 2 | 3 | 4 | 5 |
Apply the appropriate treatment strategy for each rated risk. Remediation isn't always the answer — the right response depends on cost, business context, and residual risk tolerance. Enforce an 8-stage review pipeline before any change touches production.
Risk is not static. Continuously monitor controls, track emerging threats, and review risk ratings on a defined cadence. A risk assessment that isn't revisited becomes a liability. Monthly trending, quarterly reviews, and post-incident reassessments keep the register accurate and actionable.