Risk assessments are nothing new, and whether you like it or not, if you work in information security, you are in the risk management business. As organizations rely more on information technology and information systems to do business, the digital risk threat landscape expands, exposing ecosystems to new critical vulnerabilities.
The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework to provide a base for risk assessment practices.
Take a tour of UpGuard's risk assessment features >
What is cyber risk?
Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business operations online. Cyber risks are commonly associated with events that could result in a data breach.
Cyber risks are sometimes referred to as security threats. Examples of cyber risks include:
There are practical strategies that you can take to reduce your cybersecurity risk.
Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A vulnerability is a weakness that results in unauthorized network access when exploited, and a cyber risk is the probability of a vulnerability being exploited.
Cyber risks are categorized from zero, low, medium, to high-risks. The three factors that impact vulnerability assessments are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if breached or made unavailable?
Using this simple methodology, a high-level calculation of cyber risk in an IT infrastructure can be developed:
Cyber risk = Threat x Vulnerability x Information Value
Imagine you were to assess the risk associated with a cyber attack compromising a particular operating system. This operating system has a known backdoor in version 1.7 of its software that is easily exploitable via physical means and stores information of high value on it. If your office has no physical security, your risk would be high.
However, if you have good IT staff who can identify vulnerabilities and they update the operating system to version 1.8, your vulnerability is low, even though the information value is still high because the backdoor was patched in version 1.8.
A few things to keep in mind is there are very few things with zero risk to a business process or information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a risk. It's part of general business operations.
The process of quantifying cyber risks is a function of potential risks, risk tolerance, your specific cybersecurity threats, and other risk mitigation factors. To learn more about this process, refer to this post.
What is a cyber risk assessment?
NIST defines cyber risk assessments as risk assessments used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.
The primary purpose of a cyber risk assessment is to keep stakeholders informed and support proper responses to identified risks. They also provide an executive summary to help executives and directors make informed decisions about security.
Learn how UpGuard streamlines cyber risk assessments >
Case study: Aligning security with business value
A mid-sized healthcare provider avoided a significant HIPAA violation penalty by proactively mapping their patient data assets and implementing new controls identified during a risk assessment. They realized their internal database, which contained thousands of Protected Health Information (PHI) records, had the highest Information Value (due to regulatory fines). They shifted the budget from perimeter defense to mandatory Multi-Factor Authentication (MFA) for internal access and implemented continuous monitoring, successfully mitigating the highest-impact risk.
Initial audit and parameter definition
Before you start assessing and mitigating risks, you must understand your data, infrastructure, and the value of the data you are trying to protect.
Start by auditing your data to answer these questions:
- What data do we collect?
- How and where are we storing this data?
- How long do we keep data?
- Who has access to the data both internally and externally?
Next, you'll define the parameters of your assessment:
- What is the purpose and scope of the assessment?
- Are there any constraints that could affect the assessment (e.g., budget limits)?
- What risk model does the organization use?
The key takeaway
A thorough risk assessment is the single most effective way to reduce long-term costs by preventing or reducing security incidents. It ensures that your security resources—money, time, and personnel—are strategically aligned with your most critical business assets and regulatory requirements.
For an overview of the top features of an ideal risk assessment solution, read this post comparing the top third-party risk assessment software options.
Why perform a cyber risk assessment?
There are several reasons you want to perform a cyber risk assessment and a few reasons you need to. Let's walk through them:
- Reduction of Long-Term Costs - Identifying potential threats and vulnerabilities and then mitigating them can prevent or reduce security incidents, saving your organization money and/or reputational damage in the long term.
- Provides a Cybersecurity Risk Assessment Template for Future Assessments - Cyber risk assessments aren't one of the processes; you need to update them continually; doing a good first turn will ensure repeatable processes even with staff turnover.
- Better Organizational Knowledge - Knowing organizational vulnerabilities gives you a clear idea of where your organization needs to improve.
- Avoid Data Breaches - Data breaches can have a huge financial and reputational impact on any organization.
- Avoid Regulatory Issues - Customer data that is stolen because you failed to comply with HIPAA, PCI DSS, or APRA CPS 234.
- Avoid Application Downtime - Internal or customer-facing systems must be available and functioning for staff and customers to do their jobs.
- Data Loss - Theft of trade secrets, code, or other critical information assets could mean you lose business to competitors.
Beyond that, cyber risk assessments are integral to information risk management and any organization's broader risk management strategy.
Learn how to create a vendor risk assessment matrix >
Who Should Perform a Cyber Risk Assessment?
Ideally, organizations should have dedicated in-house teams processing risk assessments. This means having IT staff with an understanding of how your digital and network infrastructure works, executives who understand how information flows, and any proprietary organizational knowledge that may be useful during the assessment.
Organizational transparency is key to a thorough cyber risk assessment.
Small businesses may not have the right people in-house to do a thorough job and must outsource assessment to a third party. Organizations are also turning to cybersecurity software to monitor their cybersecurity score, prevent breaches, send security questionnaires, and reduce third-party risk.
Learn how UpGuard calculates security ratings >
How to perform a cyber risk assessment
We'll start with a high-level overview and drill down into each step in the following sections. After reviewing this process, you may want to reference this more in-depth overview of the third-party risk assessment process.
Before you start assessing and mitigating risks, you must understand your data, infrastructure, and the value of the data you are trying to protect.
You may want to start by auditing your data to answer the following questions:
- What data do we collect?
- How and where are we storing this data?
- How do we protect and document the data?
- How long do we keep data?
- Who has access internally and externally to the data?
- Is the place we are storing the data properly secured? Many breaches come from poorly configured S3 buckets; check your S3 permissions, or someone else will.
Next, you'll want to define the parameters of your assessment. Here are a few good primer questions to get you started:
- What is the purpose of the assessment?
- What is the scope of the assessment?
- Are there any priorities or constraints I should know about that could affect the assessment?
- Who do I need access to in the organization to get all the information I need?
- What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What you want to know is what you'll be analyzing, who has the expertise to assess them appropriately, and whether there are any regulatory requirements or budget constraints you need to be aware of.
Before getting started on your risk assessment project, download your free cybersecurity risk assessment template.
Step 1: Determine informational value
The core of a practical risk assessment is understanding that you don't have an unlimited budget for information risk management. This step is about defining a standard for determining the importance of an asset to limit your scope to the most business-critical assets.
A high-value asset might be intellectual property that, if leaked, would cost the business a competitive edge, or customer data that, if breached, would trigger massive regulatory fines.
Take, a startup SaaS company prioritized their internal Intellectual Property (IP)—their source code and algorithms—over the customer data stored in their application. When a misconfigured cloud database led to a breach of Personally Identifiable Information (PII), the resulting GDPR fines and customer churn were far more financially devastating than the IP loss would have been. Prioritizing based on true financial and regulatory risk is crucial.
Once a standard is formally incorporated into the organization’s information risk management policy, use it to classify each asset as critical, major, or minor.
Evaluating data sensitivity and value checklist
To determine value, ask these critical questions:
- Identify legal/regulatory requirement: Does the data fall under HIPAA, GDPR, PCI DSS, or APRA CPS 234? (Are there financial or legal penalties associated with exposing or losing this information?
- Assess financial impact: Would losing this information have an impact on revenue or profitability? (How valuable is this information to a competitor?
- Determine operational impact: Would losing this data impact day-to-day business operations? Could our staff work without it?
- Measure reputational damage: What would be the reputational damage of this data being leaked?
- Analyze replacement cost/feasibility: Could we recreate this information from scratch? How long would it take, and what would be the associated costs?
Sensitive data categories
Data that often triggers the highest risk classification includes:
- Personally Identifiable Information (PII): Names, addresses, social security numbers, and birth dates.
- Protected health Information (PHI): Medical records and health insurance information (relevant for HIPAA compliance).
- Payment Card Industry Data (PCI): Credit card numbers, expiration dates, and CVV (relevant for PCI DSS compliance).
- Intellectual Property (IP) & Trade Secrets: Source code, proprietary algorithms, and future product roadmaps.
- Financial data: Customer financial statements, internal revenue documents, and merger and acquisition details.
The outcome of this step is a prioritized list of assets based on their financial and reputational value to the organization, which will directly inform the next step.
Step 2: Identify and prioritize assets
The first part of this step is creating a comprehensive list of all valuable assets by working with business users and management. Assets are not limited to electronics; they can include buildings, employees, trade secrets, and office equipment. Remember, not all assets have the same value.
Case Study: A medium-sized financial services firm was preparing for an APRA CPS 234 audit. Their initial asset register only included sanctioned, on-premise systems. A thorough assessment process forced them to talk to department heads, uncovering "shadow IT"—specifically, a handful of SaaS platforms used for internal testing and data analysis. These platforms, which had critical data integrations, were quickly mapped and integrated into the asset register, allowing the firm to implement necessary security controls and avoid a significant non-compliance finding during the formal audit.
For each identified asset, gather the following information where applicable:
- Software
- Hardware
- Data
- Interface
- End-users and support personnel
- Purpose and criticality
- IT security policies and architecture
- Network topology and information flow
- Technical, physical, and environmental security controls
- Physical assets
These include the tangible resources that house or protect your data:
- Data centers, server rooms, and office buildings.
- Employee hardware (laptops, mobile devices).
- Physical security controls (e.g., locks, keycard access).
- Cloud and virtual infrastructure
This is often the most dynamic and complex category of assets to track:
- AWS/Azure/GCP environments and virtual machines.
- Cloud storage (e.g., S3 buckets, Azure Blob storage).
- Infrastructure-as-Code (IaC) repositories (e.g., Terraform or CloudFormation scripts).
- Business systems and SaaS platforms
Any third-party service or application that processes or stores your critical data:
- Customer Relationship Management (CRM) tools (e.g., Salesforce).
- Enterprise Resource Planning (ERP) systems (e.g., SAP).
- HR and payroll systems (e.g., Workday).
Asset prioritization: The risk matrix
Asset prioritization is simplified with a risk matrix indicating critical risks most likely to negatively impact your security posture. This matrix helps summarize your risk exposure and is especially useful for managing third-party vendor risk.
Step 3: Identify cyber threats
A cyber threat is any potential danger—person, object, or event—that could exploit a vulnerability to cause harm or steal data from your organization. This step is about identifying the "who" and "what" that might target your assets.
- Common adversarial threat types
These are the intentional threats actively trying to gain unauthorized access.
- Phishing and social engineering: Tactics to trick authorized users into revealing credentials or clicking malicious links. The human element is often the easiest attack vector to exploit.
- Malware and ransomware: Malicious software designed to block access to data (ransomware) or misuse information by authorized users (e.g., alteration or deletion).
- Insider threats: Current or former employees, contractors, or trusted insiders who misuse information without approval, or intentionally alter or delete data.
- External adversarial threats: Established hacker collectives, ad hoc groups, corporate espionage, and nation-states. This also includes third-party vendors, who are a common source of data leaks and cyberattacks.
- Non-Adversarial and Systemic Threats
These are non-intentional events that can cause the same level of harm as a targeted attack.
- Natural disasters: Floods, hurricanes, earthquakes, and fire can destroy data and servers, leading to data loss and service disruption.
- System failure: Outages due to hardware failure, poor equipment quality, or lack of support.
- Human error: Accidental loss of data due to poor backup or replication, or data leaks from poorly configured cloud services.
Practical threat intelligence tips
- Utilize threat intel feeds: Subscribe to industry-specific threat feeds to understand current Tactics, Techniques, and Procedures (TTPs) and active campaigns relevant to your sector.
- Conduct attack simulations: Use red teaming or attack simulation software to model how identified threats would specifically target your prioritized assets (from Step 2).
- Develop an incident response plan: To ensure your security teams will respond to cyber threats promptly, ensure you have a well-designed and regularly tested Incident Response Plan.
Learn how to create an Incident Response Plan >
Step 4: Identify vulnerabilities
Now the focus shifts from the "could" (threat) to the "can" (vulnerability). A vulnerability is a weakness that a threat can exploit to breach security, harm your organization, or steal sensitive data. The key difference is that a cyber risk is the probability of a vulnerability being exploited, while the vulnerability is the weakness itself.
Identifying vulnerabilities is simplified with an Attack Surface Monitoring solution, which minimizes the number of attack vectors in your digital footprint to reduce your risk of suffering data breaches.
Examples of typical vulnerabilities
Vulnerabilities are typically found through vulnerability analysis, audit reports, and databases like the National Institute of Standards and Technology (NIST) vulnerability database.
- Outdated/Unpatched Software: The failure to apply security patches to operating systems, applications, or firmware.
- Action: Implement proper patch management via automatic forced updates.
- Weak authentication: Using simple or default passwords, or failing to implement Multi-Factor Authentication (MFA).
- Action: Enforce MFA across all critical systems.
- Misconfigurations: Errors in cloud environment settings (e.g., publicly exposed S3 buckets) or incorrectly set firewall rules.
- Action: Use continuous security monitoring and configuration checks.
- Lack of segmentation: A flat network that allows an attacker to move easily (lateral movement) after initial compromise.
- Action: Implement network segmentation to limit the blast radius of an attack.
- Physical weaknesses: The chance of someone gaining access to an organization’s computing system due to a lack of physical controls.
- Action: Use keycard access and security personnel to limit physical access.
For an introduction to Attack Surface Management, watch this video.
Step 5: Analyze controls and implement new controls
Controls are the mechanisms—technical, administrative, or physical—put in place to minimize or eliminate the probability of a threat exploiting a vulnerability.
Controls can be implemented through technical means, such as encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, and continuous data leak detection. They can also be non-technical, such as security policies and physical mechanisms like locks or keycard access.
Control framework comparison
Your choice of framework depends on your industry, risk appetite, and any applicable regulations. The NIST Cybersecurity Framework is popular for most general cybersecurity program requirements.
Reactive vs. proactive control strategies
Controls should be classified as either preventive or detective:
Learn more about cyber threat exposure management >
Step 6: Calculate the likelihood and impact of various scenarios on a per-year basis
You now know the Information Value (Step 1), Threats (Step 3), Vulnerabilities (Step 4), and existing Controls (Step 5). The next step is to quantify the risk by identifying the likelihood of these scenarios occurring and their potential impact if they do.
Change your mindset from "if I get impacted" to "what are my chances of success when I get impacted."
A simple methodology for high-level calculation of cyber risk is:
Cyber Risk = Threat × Vulnerability × Information Value
Sample Scenarios with impact analysis
Mapping likelihood vs. business impact
Risks are categorized from zero, low, medium, to high.
- Likelihood Scale:
- Very Low: Once in 20+ years.
- Low: Once in 5-20 years.
- Medium: Once every 1-5 years.
- High: Multiple times per year.
- Impact Scale:
- Low: Minor financial cost, no reputation damage.
- Medium: Significant financial cost, minor regulatory fines, and recoverable reputation loss.
- High: Massive regulatory fines, severe reputation loss, major operational disruption, possible business closure.
Learn how to prevent data breaches with this free guide >
Step 7: Prioritize risks based on the cost of prevention vs. information value
You have now calculated the risk score for various scenarios. The final step is to determine which risks to address, which to accept, and which to transfer, ensuring that the cost of protection doesn't exceed the value of the asset being protected.
If it costs more to protect the asset than it's worth, it may not make sense to use preventative control to protect it. Remember to factor in reputational impact, not just financial impact.
- Risk matrix / Heatmap
The risk matrix is a visual tool that plots the calculated Likelihood against Impact to quickly prioritize where resources must be allocated.
- High (Red Zone): Risks in this quadrant demand corrective measures to be developed as soon as possible.
- Medium (Yellow Zone): Risks here require prompt measures to be developed within a reasonable timeframe.
- Low (Green Zone): Management can decide whether to accept the risk or mitigate.
- Cost-Benefit Analysis
This is the financial justification for your security decisions, comparing the Annualized Loss Expectancy (ALE) against the Cost of Control (CC).
- Mitigation justified: If ALE > CC. (E.g., ALE is $1M/year; spending $500K on new controls is financially sensible).
- Mitigation not justified: If ALE < CC. (E.g., ALE is $5K/year; spending $50K on new controls is not financially sensible).
- Real-world prioritization decisions
- Risk mitigation: The most common approach involves implementing controls to reduce the likelihood or impact of the risk (e.g., implementing MFA).
- Risk acceptance: Formally acknowledging that a risk exists but choosing to take no action (e.g., for a "Low" risk where the mitigation cost is too high).
- Risk transfer: Shifting the financial burden to another entity (e.g., purchasing cyber insurance).
- Risk avoidance: Changing business practices to eliminate the risk entirely (e.g., stopping the collection of PII).
Step 8: Document results from risk assessment reports
The final step is to develop a risk assessment report to support management in deciding on budgets, policies, and procedures. The report should describe the risk, vulnerabilities, and value of each threat, along with the impact and likelihood of occurrence and control recommendations.
You can then create a risk assessment policy that defines what your organization must do periodically to monitor its security posture, how risks are addressed and mitigated, and how you will conduct subsequent risk assessment processes.
Checklist for documenting results and audit-readiness
- Executive summary: A concise one-page overview for senior management, focusing on the top 5 critical risks and the total risk exposure (ALE).
- Scope and methodology: Document the full list of assets (Step 2), the scope of the assessment, and the risk model used (e.g., qualitative or quantitative).
- Findings and analysis: A complete, prioritized list of all identified risks, including the Risk score (Likelihood × Impact).
- Remediation plan: A clear, prioritized plan for each high- and medium-risk item, assigning owners, deadlines, and required budget.
- Control analysis: Documentation of existing controls and gaps, justifying the need for new controls (e.g., cost-benefit analysis from Step 7).
Whether you are a small business or a multinational enterprise, information risk management is at the heart of cybersecurity. These processes help establish rules and guidelines that identify threats and vulnerabilities that can cause financial and reputational damage to your business, as well as how they are mitigated.
As your security implementations improve and you address the risks discovered in assessment responses, your cybersecurity posture should also improve.
To learn how UpGuard can help you streamline your cybersecurity risk assessment workflows, watch this video.
Frequently asked questions (FAQs)
What is the difference between a cyber risk assessment and a vulnerability scan?
A Vulnerability Scan is a technical, automated tool that identifies weaknesses (e.g., unpatched software) on a specific system. A Cyber Risk Assessment is a strategic, business process that determines the business impact and likelihood of those weaknesses being exploited by a threat. The scan provides data for the assessment, but the assessment provides the business context for prioritization.
How often should organizations perform cybersecurity risk assessments?
Organizations should perform risk assessments formally and thoroughly at least annually. However, the risk register and controls should be reviewed monthly, and critical assets monitored continuously for changes in their security posture. An assessment should also be triggered whenever there is a major change in the business (e.g., new product line, significant cloud migration).
.jpeg){kind=avatar}
