Distinguishing risk from threat and vulnerability was your first step. Now we turn that knowledge into action. When a mid‑sized hospital identified 23 critical assets and mapped their exposure, the risk assessment process revealed that a single unpatched PACS server could halt radiology for days. That insight forced an emergency change window — before any attacker found it. In this lesson, you’ll perform identification, analysis, and evaluation steps that transform guesswork into a defensible risk posture.
Risk identification requires pairing every critical asset with the threats and vulnerabilities that can compromise it. Walk through your environment: servers, databases, cloud buckets, employee laptops, APIs. For each, list realistic threat sources — from disgruntled insiders to opportunistic ransomware gangs — and the vulnerabilities (missing patches, default credentials, lack of encryption). This produces a risk register, the foundational document for the entire process.
💡 Pro‑tip: The most common mistake is identifying threats without linking them to specific assets. A threat without an asset is a hypothetical; a threat with an asset is a business risk.
The command above reveals the hostname, active interfaces, critical services like nginx, and a backup cron job. Each becomes an asset row in your risk register. An attacker could target nginx via a web vulnerability, or attempt to tamper with the backup job to erase evidence.
Once risks are identified, you must estimate how likely they are to occur and what the impact would be if they did. Common methods include qualitative (High/Medium/Low) and quantitative (Annualized Loss Expectancy). A simple matrix multiplies likelihood by impact to produce a risk score. For example, a vulnerability with a public exploit (High likelihood) on a customer database (Critical impact) yields a risk score that demands immediate treatment.
📌 Key insight: Likelihood isn’t a guess. It’s fed by threat intelligence — CVSS scores, known exploit availability, and telemetry from your own SIEM (Security Information and Event Management). If you see scanning on port 443, likelihood of a successful attack on an unpatched web server goes up.
# Simple risk score calculator
assets = [
{"name":"Customer DB","likelihood":4,"impact":5},
{"name":"Dev wiki","likelihood":2,"impact":2},
{"name":"VPN gateway","likelihood":3,"impact":4}
]
for asset in assets:
score = asset["likelihood"] * asset["impact"]
print(f"{asset['name']}: Risk Score = {score}")| Asset | Threat | Likelihood (1‑5) | Impact (1‑5) | Risk Score |
|---|---|---|---|---|
| Customer DB | SQL Injection | 4 | 5 | 20 (Critical) |
| Dev wiki | Password brute‑force | 2 | 2 | 4 (Low) |
| VPN gateway | Zero‑day exploit | 3 | 4 | 12 (High) |
Evaluation compares the calculated risk scores against your organization’s risk appetite. Not every critical risk gets fixed immediately if the cost exceeds the business benefit, but those that exceed the risk threshold must be treated. The output is a prioritised list that feeds directly into risk treatment strategies — avoid, mitigate, transfer, or accept — which you’ll master in the next lesson.
⚠️ Risk assessment without a defined risk appetite is useless. If leadership says “we accept all medium risks”, then spending $500K to reduce a medium risk is a poor business decision.
Verify exercises to earn ★ 130 XP and unlock next lab level.