Risk Assessment Methodology | Skills Pool
Risk Assessment Methodology Systematic risk identification, analysis, evaluation, and treatment aligned with ISO 27005, NIST RMF, and Hack23 ISMS risk register
Risk Assessment Methodology Skill
Purpose
This skill provides quantitative risk assessment methodology aligned with Hack23 AB's enterprise risk management framework. It enables security professionals and business leaders to systematically identify, analyze, evaluate, and treat risks using defensible statistical methods that demonstrate cybersecurity consulting expertise through measurable, data-driven risk quantification.
When to Use This Skill
Apply this skill when:
✅ Conducting quarterly risk assessments
✅ Evaluating risks for new products or services
✅ Calculating Annual Loss Expectancy (ALE) for control investments
✅ Prioritizing risk treatment based on quantitative impact
✅ Documenting risk acceptance decisions
✅ Creating risk registers for compliance frameworks
✅ Performing threat modeling with financial impact
✅ Supporting business case for security controls
✅ Responding to client risk assessment inquiries
빠른 설치
Risk Assessment Methodology npx skillvault add Hack23/hack23-cia-github-skills-risk-assessment-methodology-skill-md
스타 218
업데이트 2026. 2. 10.
직업
❌ Real-time incident response (use incident-response skill)
❌ Vulnerability scoring (use vulnerability-management skill)
❌ Code security reviews (use secure-code-review skill)
Risk Assessment Process Flow flowchart TD
START[🎯 Risk Assessment<br/>Initiation] --> IDENTIFY[📋 Risk Identification<br/>Assets • Threats • Vulnerabilities]
IDENTIFY --> ANALYZE[🔍 Risk Analysis]
ANALYZE --> LIKELIHOOD[📊 Likelihood Assessment<br/>Historical + Industry + Expert]
ANALYZE --> IMPACT[💰 Impact Assessment<br/>Financial • Operational • Reputational]
LIKELIHOOD --> CALC[🔢 Risk Score Calculation<br/>Probability × Impact × 100]
IMPACT --> CALC
CALC --> CATEGORY{Risk Level?}
CATEGORY -->|400-600| CRITICAL[🔴 Critical Risk<br/>Immediate action required]
CATEGORY -->|200-399| HIGH[🟠 High Risk<br/>Priority mitigation needed]
CATEGORY -->|100-199| MEDIUM[🟡 Medium Risk<br/>Planned controls required]
CATEGORY -->|50-99| LOW[🟢 Low Risk<br/>Monitor and accept]
CATEGORY -->|1-49| MINIMAL[⚪ Minimal Risk<br/>Accept risk]
CRITICAL --> TREAT{Treatment<br/>Decision}
HIGH --> TREAT
MEDIUM --> TREAT
LOW --> ACCEPT[✅ Accept Risk<br/>Document in Risk Register]
MINIMAL --> ACCEPT
TREAT -->|Reduce| MITIGATE[🛡️ Implement Controls<br/>Reduce likelihood or impact]
TREAT -->|Transfer| TRANSFER[🤝 Insurance/Outsource<br/>Share financial burden]
TREAT -->|Avoid| AVOID[🚫 Eliminate Activity<br/>Remove risk source]
TREAT -->|Accept| ACCEPT_HIGH[📋 Document Acceptance<br/>CEO approval required]
MITIGATE --> RESIDUAL[📉 Residual Risk<br/>Reassessment]
TRANSFER --> RESIDUAL
AVOID --> RESIDUAL
ACCEPT_HIGH --> RESIDUAL
ACCEPT --> REGISTER[📊 Risk Register<br/>Tracking & Monitoring]
RESIDUAL --> REGISTER
REGISTER --> REVIEW[🔄 Periodic Review<br/>Quarterly/Annual]
REVIEW --> START
style START fill:#1565C0,stroke:#0D47A1,stroke-width:3px,color:#fff
style CRITICAL fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#fff
style HIGH fill:#FF9800,stroke:#F57C00,stroke-width:2px
style MEDIUM fill:#FFC107,stroke:#FFA000,stroke-width:2px
style LOW fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
style MINIMAL fill:#9E9E9E,stroke:#616161,stroke-width:1px
style REGISTER fill:#9C27B0,stroke:#7B1FA2,stroke-width:2px,color:#fff
Likelihood Assessment Framework Evaluate probability using descriptive categories with quantitative ranges:
Likelihood Badge Probability Annual Frequency ARO Definition Examples Almost Certain 80-99% 292-361 events/year 0.8-0.99 Expected to occur in most circumstances Daily operational issues, routine maintenance Likely 60-79% 219-291 events/year 0.6-0.79 Will probably occur Weekly service disruptions, staff availability issues Possible 40-59% 146-218 events/year 0.4-0.59 Might occur at some time Monthly supplier issues, seasonal variations Unlikely 20-39% 73-145 events/year 0.2-0.39 Could occur but not expected Quarterly security incidents, annual contract changes Rare 5-19% 18-72 events/year 0.05-0.19 May occur only in exceptional circumstances Multi-year events, rare external factors Exceptional <5% <18 events/year <0.05 Rare, once-in-decade event Black swan events, extreme scenarios
Likelihood Assessment Methods Quantitative Data (Preferred):
# Historical frequency analysis
def calculate_aro(events_last_3_years, trend_factor=1.0):
"""Calculate Annual Rate of Occurrence from historical data"""
base_aro = sum(events_last_3_years) / 3
adjusted_aro = base_aro * trend_factor
return min(adjusted_aro, 0.99) # Cap at 99%
# Example: 8 incidents in 3 years, increasing trend
aro = calculate_aro([2, 3, 3], trend_factor=1.2) # = 0.32 (Unlikely)
Qualitative Assessment (When Data Limited):
Industry benchmarks (DBIR, ENISA Threat Landscape)
Expert judgment from security team
Peer comparison with similar organizations
Threat intelligence feeds
Impact Assessment Framework Evaluate business impact across multiple dimensions:
Impact Badge Financial Operational Reputational Regulatory Catastrophic >€50K Complete shutdown International media Criminal charges Critical €10K-50K Major disruption National media Significant fines High €1K-10K Significant degradation Industry attention Moderate penalties Moderate €500-1K Partial service impact Regional visibility Minor warnings Low €100-500 Minor inconvenience Limited local impact Verbal guidance Minimal <€100 No significant impact No external visibility No implications
Impact Score Mapping
Catastrophic = 6
Critical = 5
High = 4
Moderate = 3
Low = 2
Minimal = 1
Risk Score Calculation Formula: Risk Score = Likelihood (midpoint %) × Impact Score (1-6) × 100
Calculation Examples Example 1: Data Breach Risk
Likelihood: Unlikely (30% midpoint)
Impact: Critical (5)
Risk Score: 0.30 × 5 × 100 = 150 → 🟡 Medium Risk
Example 2: DDoS Attack Risk
Likelihood: Possible (50% midpoint)
Impact: High (4)
Risk Score: 0.50 × 4 × 100 = 200 → 🟠 High Risk
Example 3: Ransomware Risk
Likelihood: Likely (70% midpoint)
Impact: Catastrophic (6)
Risk Score: 0.70 × 6 × 100 = 420 → 🔴 Critical Risk
Risk Level Categories Risk Level Score Range Badge Management Response Review Frequency Critical 400-600 CEO immediate action, daily monitoring Daily High 200-399 Weekly executive review Weekly Medium 100-199 Monthly assessment Monthly Low 50-99 Quarterly monitoring Quarterly Minimal 1-49 Acceptance, periodic review Annual
Financial Risk Analysis
Single Loss Expectancy (SLE) Formula: SLE = Asset Value × Exposure Factor
Category Value Range Examples Mission Critical €100K-500K Core infrastructure, customer data High Value €50K-100K Business applications, intellectual property Standard €10K-50K Supporting systems, processes Low Value €1K-10K Documentation, utilities
Exposure Factor Guidelines:
Exposure Factor Description Complete Loss 0.8-1.0 Total destruction (ransomware, theft) Major Loss 0.5-0.8 Significant damage (data corruption) Moderate Loss 0.2-0.5 Partial damage (service disruption) Minor Loss 0.1-0.2 Limited impact (performance degradation)
Annual Loss Expectancy (ALE) # Ransomware attack on CIA Platform
asset_value = 200000 # €200K (Mission Critical)
exposure_factor = 0.9 # 90% loss (Complete Loss)
aro = 0.7 # 70% (Likely based on industry data)
sle = asset_value * exposure_factor # €180K
ale = sle * aro # €126K annually
Value at Risk (VaR) Framework Formula: VaR = Impact (€) × Probability × Confidence Factor × Time Horizon
Category VaR Range (€) Management Action Critical >€200K Board escalation, immediate mitigation High €50K-200K Executive committee, quarterly review Medium €10K-50K Risk committee, semi-annual review Low €1K-10K Management monitoring, annual review Minimal <€1K Acceptance, periodic review
Risk Treatment Decision Matrix graph TB
RISK[📊 Risk Identified<br/>with Score] --> EVAL{Risk Level?}
EVAL -->|Critical/High<br/>400-600, 200-399| HIGH_TREAT[🎯 Treatment Required]
EVAL -->|Medium<br/>100-199| MED_TREAT[⚖️ Treatment Evaluation]
EVAL -->|Low/Minimal<br/>1-99| LOW_TREAT[✅ Consider Acceptance]
HIGH_TREAT --> OPTIONS1[Treatment Options]
MED_TREAT --> OPTIONS2[Treatment Options]
LOW_TREAT --> ACCEPT_DIRECT[Accept Risk<br/>Document in Risk Register]
OPTIONS1 --> MITIGATE1[🛡️ Mitigate<br/>Implement controls]
OPTIONS1 --> TRANSFER1[🤝 Transfer<br/>Insurance/Outsource]
OPTIONS1 --> AVOID1[🚫 Avoid<br/>Eliminate activity]
OPTIONS2 --> MITIGATE2[🛡️ Mitigate<br/>Cost-benefit analysis]
OPTIONS2 --> ACCEPT2[📋 Accept<br/>Document rationale]
MITIGATE1 --> COST_BENEFIT{Control Cost<br/>vs ALE?}
TRANSFER1 --> COST_BENEFIT
MITIGATE2 --> COST_BENEFIT
COST_BENEFIT -->|Control < ALE| IMPLEMENT[✅ Implement Control]
COST_BENEFIT -->|Control > ALE| ACCEPT_COST[📋 Accept Risk<br/>Document decision]
AVOID1 --> BUSINESS{Business<br/>Impact?}
BUSINESS -->|Acceptable| ELIMINATE[🚫 Eliminate Risk]
BUSINESS -->|Unacceptable| FIND_ALT[🔄 Find Alternative]
IMPLEMENT --> RESIDUAL[📉 Residual Risk<br/>Assessment]
ACCEPT2 --> REGISTER[📊 Risk Register]
ACCEPT_COST --> REGISTER
ACCEPT_DIRECT --> REGISTER
ELIMINATE --> REGISTER
RESIDUAL --> REEVAL{Still<br/>High/Critical?}
REEVAL -->|Yes| ADDITIONAL[Additional Controls<br/>Required]
REEVAL -->|No| REGISTER
ADDITIONAL --> COST_BENEFIT
style RISK fill:#1565C0,stroke:#0D47A1,stroke-width:3px,color:#fff
style HIGH_TREAT fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#fff
style MED_TREAT fill:#FF9800,stroke:#F57C00,stroke-width:2px
style IMPLEMENT fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
style REGISTER fill:#9C27B0,stroke:#7B1FA2,stroke-width:2px,color:#fff
Control Value = ALE (Before) - ALE (After) - Control Cost
def control_roi(ale_before, ale_after, control_cost_annual):
"""Calculate return on investment for security control"""
annual_benefit = ale_before - ale_after
net_benefit = annual_benefit - control_cost_annual
roi_percentage = (net_benefit / control_cost_annual) * 100
return {
'annual_benefit': annual_benefit,
'net_benefit': net_benefit,
'roi_percentage': roi_percentage,
'recommendation': 'Implement' if net_benefit > 0 else 'Reject'
}
# Example: MFA implementation
result = control_roi(
ale_before=126000, # €126K ransomware risk
ale_after=12600, # 90% reduction
control_cost_annual=5000 # €5K/year for MFA
)
# Result: €108.4K net benefit, 2068% ROI → Implement
Risk Assessment Templates
Template 1: Comprehensive Risk Assessment # Risk Assessment: [Risk Name]
**Risk ID:** RSK-2025-XXX
**Assessment Date:** 2025-01-XX
**Assessor:** [Name/Role]
**Status:** Open/Mitigated/Accepted/Closed
## Risk Description
Brief description of the risk scenario.
## Asset Information
- **Primary Asset:** [Asset name]
- **Asset Value:** €X
- **Classification:** [Confidentiality/Integrity/Availability levels]
## Threat & Vulnerability
- **Threat Actor:** [Who/what causes the risk]
- **Threat Motivation:** [Why would they exploit this]
- **Vulnerability:** [What weakness enables exploitation]
- **Attack Vector:** [How the attack occurs]
## Likelihood Assessment
- **Category:** [Exceptional/Rare/Unlikely/Possible/Likely/Almost Certain]
- **Probability:** X%
- **ARO:** X.XX
- **Evidence:** [Historical data, industry benchmarks, expert judgment]
## Impact Assessment
- **Financial:** €X (Category: [Minimal/Low/Moderate/High/Critical/Catastrophic])
- **Operational:** [Description]
- **Reputational:** [Description]
- **Regulatory:** [Description]
- **Impact Score:** X (1-6)
## Risk Calculation
- **Risk Score:** [Probability × Impact × 100] = XXX
- **Risk Level:** 🔴/🟠/🟡/🟢/⚪ [Critical/High/Medium/Low/Minimal]
## Financial Analysis
- **Asset Value:** €X
- **Exposure Factor:** X.X
- **SLE:** €X
- **ALE:** €X
## Current Controls
- [Existing control 1]
- [Existing control 2]
## Recommended Treatment
- **Strategy:** Mitigate/Transfer/Avoid/Accept
- **Proposed Controls:** [List controls]
- **Control Cost:** €X annually
- **Residual Risk Score:** XXX → [Risk Level]
- **Cost-Benefit:** Net benefit €X, ROI X%
- **Recommendation:** Implement/Reject
## Approval
- **Risk Owner:** [Name/Role]
- **Approval Date:** 2025-XX-XX
- **Review Date:** 2025-XX-XX
Template 2: Quick Risk Matrix Risk ID Description Likelihood Impact Score Level Treatment Owner RSK-001 Data breach Unlikely (30%) Critical (5) 150 🟡 Medium MFA implementation CTO RSK-002 DDoS attack Possible (50%) High (4) 200 🟠 High CDN + WAF CTO RSK-003 Ransomware Likely (70%) Catastrophic (6) 420 🔴 Critical Backup + EDR CEO
Integration with Classification Framework
CIA Triad Mapping
Very High (C5) → Catastrophic financial impact
High (C4) → Critical financial impact
Moderate (C3) → High financial impact
Low (C2) → Moderate financial impact
Minimal (C1) → Low financial impact
Critical (I5) → Catastrophic operational impact
High (I4) → Critical operational impact
Moderate (I3) → High operational impact
Low (I2) → Moderate operational impact
Minimal (I1) → Low operational impact
Mission Critical (A5) → Catastrophic business impact
High (A4) → Critical business impact
Moderate (A3) → High business impact
Low (A2) → Moderate business impact
Minimal (A1) → Low business impact
Practical Examples
risk_id: "RSK-2025-001"
risk_name: "Ransomware attack on CIA Platform"
02
Purpose
