Risk Assessment Methodology Skill

Purpose

This skill provides quantitative risk assessment methodology aligned with Hack23 AB's enterprise risk management framework. It enables security professionals and business leaders to systematically identify, analyze, evaluate, and treat risks using defensible statistical methods that demonstrate cybersecurity consulting expertise through measurable, data-driven risk quantification.

When to Use This Skill

Apply this skill when:

• ✅ Conducting quarterly risk assessments

• ✅ Evaluating risks for new products or services

• ✅ Calculating Annual Loss Expectancy (ALE) for control investments

• ✅ Prioritizing risk treatment based on quantitative impact

• ✅ Documenting risk acceptance decisions

• ✅ Creating risk registers for compliance frameworks

• ✅ Performing threat modeling with financial impact

• ✅ Supporting business case for security controls

• ✅ Responding to client risk assessment inquiries

Do NOT use for:

• ❌ Real-time incident response (use incident-response skill)

• ❌ Vulnerability scoring (use vulnerability-management skill)

• ❌ Code security reviews (use secure-code-review skill)

Risk Assessment Process Flow

flowchart TD START[🎯 Risk Assessment<br/>Initiation] --> IDENTIFY[📋 Risk Identification<br/>Assets • Threats • Vulnerabilities]

IDENTIFY --> ANALYZE[🔍 Risk Analysis]

ANALYZE --> LIKELIHOOD[📊 Likelihood Assessment<br/>Historical + Industry + Expert]
ANALYZE --> IMPACT[💰 Impact Assessment<br/>Financial • Operational • Reputational]

LIKELIHOOD --> CALC[🔢 Risk Score Calculation<br/>Probability × Impact × 100]
IMPACT --> CALC

CALC --> CATEGORY{Risk Level?}

CATEGORY -->|400-600| CRITICAL[🔴 Critical Risk<br/>Immediate action required]
CATEGORY -->|200-399| HIGH[🟠 High Risk<br/>Priority mitigation needed]
CATEGORY -->|100-199| MEDIUM[🟡 Medium Risk<br/>Planned controls required]
CATEGORY -->|50-99| LOW[🟢 Low Risk<br/>Monitor and accept]
CATEGORY -->|1-49| MINIMAL[⚪ Minimal Risk<br/>Accept risk]

CRITICAL --> TREAT{Treatment<br/>Decision}
HIGH --> TREAT
MEDIUM --> TREAT
LOW --> ACCEPT[✅ Accept Risk<br/>Document in Risk Register]
MINIMAL --> ACCEPT

TREAT -->|Reduce| MITIGATE[🛡️ Implement Controls<br/>Reduce likelihood or impact]
TREAT -->|Transfer| TRANSFER[🤝 Insurance/Outsource<br/>Share financial burden]
TREAT -->|Avoid| AVOID[🚫 Eliminate Activity<br/>Remove risk source]
TREAT -->|Accept| ACCEPT_HIGH[📋 Document Acceptance<br/>CEO approval required]

MITIGATE --> RESIDUAL[📉 Residual Risk<br/>Reassessment]
TRANSFER --> RESIDUAL
AVOID --> RESIDUAL
ACCEPT_HIGH --> RESIDUAL
ACCEPT --> REGISTER[📊 Risk Register<br/>Tracking & Monitoring]

RESIDUAL --> REGISTER

REGISTER --> REVIEW[🔄 Periodic Review<br/>Quarterly/Annual]
REVIEW --> START

style START fill:#1565C0,stroke:#0D47A1,stroke-width:3px,color:#fff
style CRITICAL fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#fff
style HIGH fill:#FF9800,stroke:#F57C00,stroke-width:2px
style MEDIUM fill:#FFC107,stroke:#FFA000,stroke-width:2px
style LOW fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
style MINIMAL fill:#9E9E9E,stroke:#616161,stroke-width:1px
style REGISTER fill:#9C27B0,stroke:#7B1FA2,stroke-width:2px,color:#fff

Likelihood Assessment Framework

Evaluate probability using descriptive categories with quantitative ranges:

Likelihood Badge Probability Annual Frequency ARO Definition Examples

Almost Certain

80-99% 292-361 events/year 0.8-0.99 Expected to occur in most circumstances Daily operational issues, routine maintenance

Likely

60-79% 219-291 events/year 0.6-0.79 Will probably occur Weekly service disruptions, staff availability issues

Possible

40-59% 146-218 events/year 0.4-0.59 Might occur at some time Monthly supplier issues, seasonal variations

Unlikely

20-39% 73-145 events/year 0.2-0.39 Could occur but not expected Quarterly security incidents, annual contract changes

Rare

5-19% 18-72 events/year 0.05-0.19 May occur only in exceptional circumstances Multi-year events, rare external factors

Exceptional

<5% <18 events/year <0.05 Rare, once-in-decade event Black swan events, extreme scenarios

Likelihood Assessment Methods

Quantitative Data (Preferred):

Historical frequency analysis

def calculate_aro(events_last_3_years, trend_factor=1.0): """Calculate Annual Rate of Occurrence from historical data""" base_aro = sum(events_last_3_years) / 3 adjusted_aro = base_aro * trend_factor return min(adjusted_aro, 0.99) # Cap at 99%

Example: 8 incidents in 3 years, increasing trend

aro = calculate_aro([2, 3, 3], trend_factor=1.2) # = 0.32 (Unlikely)

Qualitative Assessment (When Data Limited):

• Industry benchmarks (DBIR, ENISA Threat Landscape)

• Expert judgment from security team

• Peer comparison with similar organizations

• Threat intelligence feeds

Impact Assessment Framework

Evaluate business impact across multiple dimensions:

Impact Badge Financial Operational Reputational Regulatory

Catastrophic

€50K Complete shutdown International media Criminal charges

Critical

€10K-50K Major disruption National media Significant fines

High

€1K-10K Significant degradation Industry attention Moderate penalties

Moderate

€500-1K Partial service impact Regional visibility Minor warnings

Low

€100-500 Minor inconvenience Limited local impact Verbal guidance

Minimal

<€100 No significant impact No external visibility No implications

Impact Score Mapping

• Catastrophic = 6

• Critical = 5

• High = 4

• Moderate = 3

• Low = 2

• Minimal = 1

Risk Score Calculation

Formula: Risk Score = Likelihood (midpoint %) × Impact Score (1-6) × 100

Calculation Examples

Example 1: Data Breach Risk

• Likelihood: Unlikely (30% midpoint)

• Impact: Critical (5)

• Risk Score: 0.30 × 5 × 100 = 150 → 🟡 Medium Risk

Example 2: DDoS Attack Risk

• Likelihood: Possible (50% midpoint)

• Impact: High (4)

• Risk Score: 0.50 × 4 × 100 = 200 → 🟠 High Risk

Example 3: Ransomware Risk

• Likelihood: Likely (70% midpoint)

• Impact: Catastrophic (6)

• Risk Score: 0.70 × 6 × 100 = 420 → 🔴 Critical Risk

Risk Level Categories

Risk Level Score Range Badge Management Response Review Frequency

Critical 400-600

CEO immediate action, daily monitoring Daily

High 200-399

Weekly executive review Weekly

Medium 100-199

Monthly assessment Monthly

Low 50-99

Quarterly monitoring Quarterly

Minimal 1-49

Acceptance, periodic review Annual

Financial Risk Analysis

Single Loss Expectancy (SLE)

Formula: SLE = Asset Value × Exposure Factor

Asset Value Categories:

Category Value Range Examples

Mission Critical €100K-500K Core infrastructure, customer data

High Value €50K-100K Business applications, intellectual property

Standard €10K-50K Supporting systems, processes

Low Value €1K-10K Documentation, utilities

Exposure Factor Guidelines:

Exposure Factor Description

Complete Loss 0.8-1.0 Total destruction (ransomware, theft)

Major Loss 0.5-0.8 Significant damage (data corruption)

Moderate Loss 0.2-0.5 Partial damage (service disruption)

Minor Loss 0.1-0.2 Limited impact (performance degradation)

Annual Loss Expectancy (ALE)

Formula: ALE = SLE × ARO

Example Calculation:

Ransomware attack on CIA Platform

asset_value = 200000 # €200K (Mission Critical) exposure_factor = 0.9 # 90% loss (Complete Loss) aro = 0.7 # 70% (Likely based on industry data)

sle = asset_value * exposure_factor # €180K ale = sle * aro # €126K annually

Value at Risk (VaR) Framework

Formula: VaR = Impact (€) × Probability × Confidence Factor × Time Horizon

VaR Risk Categories:

Category VaR Range (€) Management Action

Critical

€200K Board escalation, immediate mitigation

High €50K-200K Executive committee, quarterly review

Medium €10K-50K Risk committee, semi-annual review

Low €1K-10K Management monitoring, annual review

Minimal <€1K Acceptance, periodic review

Risk Treatment Decision Matrix

graph TB RISK[📊 Risk Identified<br/>with Score] --> EVAL{Risk Level?}

EVAL -->|Critical/High<br/>400-600, 200-399| HIGH_TREAT[🎯 Treatment Required]
EVAL -->|Medium<br/>100-199| MED_TREAT[⚖️ Treatment Evaluation]
EVAL -->|Low/Minimal<br/>1-99| LOW_TREAT[✅ Consider Acceptance]

HIGH_TREAT --> OPTIONS1[Treatment Options]
MED_TREAT --> OPTIONS2[Treatment Options]
LOW_TREAT --> ACCEPT_DIRECT[Accept Risk<br/>Document in Risk Register]

OPTIONS1 --> MITIGATE1[🛡️ Mitigate<br/>Implement controls]
OPTIONS1 --> TRANSFER1[🤝 Transfer<br/>Insurance/Outsource]
OPTIONS1 --> AVOID1[🚫 Avoid<br/>Eliminate activity]

OPTIONS2 --> MITIGATE2[🛡️ Mitigate<br/>Cost-benefit analysis]
OPTIONS2 --> ACCEPT2[📋 Accept<br/>Document rationale]

MITIGATE1 --> COST_BENEFIT{Control Cost<br/>vs ALE?}
TRANSFER1 --> COST_BENEFIT
MITIGATE2 --> COST_BENEFIT

COST_BENEFIT -->|Control < ALE| IMPLEMENT[✅ Implement Control]
COST_BENEFIT -->|Control > ALE| ACCEPT_COST[📋 Accept Risk<br/>Document decision]

AVOID1 --> BUSINESS{Business<br/>Impact?}
BUSINESS -->|Acceptable| ELIMINATE[🚫 Eliminate Risk]
BUSINESS -->|Unacceptable| FIND_ALT[🔄 Find Alternative]

IMPLEMENT --> RESIDUAL[📉 Residual Risk<br/>Assessment]
ACCEPT2 --> REGISTER[📊 Risk Register]
ACCEPT_COST --> REGISTER
ACCEPT_DIRECT --> REGISTER
ELIMINATE --> REGISTER

RESIDUAL --> REEVAL{Still<br/>High/Critical?}
REEVAL -->|Yes| ADDITIONAL[Additional Controls<br/>Required]
REEVAL -->|No| REGISTER

ADDITIONAL --> COST_BENEFIT

style RISK fill:#1565C0,stroke:#0D47A1,stroke-width:3px,color:#fff
style HIGH_TREAT fill:#D32F2F,stroke:#B71C1C,stroke-width:3px,color:#fff
style MED_TREAT fill:#FF9800,stroke:#F57C00,stroke-width:2px
style IMPLEMENT fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#fff
style REGISTER fill:#9C27B0,stroke:#7B1FA2,stroke-width:2px,color:#fff

Cost-Benefit Analysis Formula

Control Value = ALE (Before) - ALE (After) - Control Cost

def control_roi(ale_before, ale_after, control_cost_annual): """Calculate return on investment for security control""" annual_benefit = ale_before - ale_after net_benefit = annual_benefit - control_cost_annual roi_percentage = (net_benefit / control_cost_annual) * 100 return { 'annual_benefit': annual_benefit, 'net_benefit': net_benefit, 'roi_percentage': roi_percentage, 'recommendation': 'Implement' if net_benefit > 0 else 'Reject' }

Example: MFA implementation

result = control_roi( ale_before=126000, # €126K ransomware risk ale_after=12600, # 90% reduction control_cost_annual=5000 # €5K/year for MFA )

Result: €108.4K net benefit, 2068% ROI → Implement

Risk Assessment Templates

Template 1: Comprehensive Risk Assessment

Risk Assessment: [Risk Name]

Risk ID: RSK-2025-XXX Assessment Date: 2025-01-XX Assessor: [Name/Role] Status: Open/Mitigated/Accepted/Closed

Risk Description

Brief description of the risk scenario.

Asset Information

• Primary Asset: [Asset name]
• Asset Value: €X
• Classification: [Confidentiality/Integrity/Availability levels]

Threat & Vulnerability

• Threat Actor: [Who/what causes the risk]
• Threat Motivation: [Why would they exploit this]
• Vulnerability: [What weakness enables exploitation]
• Attack Vector: [How the attack occurs]

Likelihood Assessment

• Category: [Exceptional/Rare/Unlikely/Possible/Likely/Almost Certain]
• Probability: X%
• ARO: X.XX
• Evidence: [Historical data, industry benchmarks, expert judgment]

Impact Assessment

• Financial: €X (Category: [Minimal/Low/Moderate/High/Critical/Catastrophic])
• Operational: [Description]
• Reputational: [Description]
• Regulatory: [Description]
• Impact Score: X (1-6)

Risk Calculation

• Risk Score: [Probability × Impact × 100] = XXX
• Risk Level: 🔴/🟠/🟡/🟢/⚪ [Critical/High/Medium/Low/Minimal]

Financial Analysis

• Asset Value: €X
• Exposure Factor: X.X
• SLE: €X
• ALE: €X

Current Controls

• [Existing control 1]
• [Existing control 2]

Recommended Treatment

• Strategy: Mitigate/Transfer/Avoid/Accept
• Proposed Controls: [List controls]
• Control Cost: €X annually
• Residual Risk Score: XXX → [Risk Level]
• Cost-Benefit: Net benefit €X, ROI X%
• Recommendation: Implement/Reject

Approval

• Risk Owner: [Name/Role]
• Approval Date: 2025-XX-XX
• Review Date: 2025-XX-XX

Template 2: Quick Risk Matrix

Risk ID Description Likelihood Impact Score Level Treatment Owner

RSK-001 Data breach Unlikely (30%) Critical (5) 150 🟡 Medium MFA implementation CTO

RSK-002 DDoS attack Possible (50%) High (4) 200 🟠 High CDN + WAF CTO

RSK-003 Ransomware Likely (70%) Catastrophic (6) 420 🔴 Critical Backup + EDR CEO

Integration with Classification Framework

Align risk assessments with Classification Framework:

CIA Triad Mapping

Confidentiality Impact:

• Very High (C5) → Catastrophic financial impact

• High (C4) → Critical financial impact

• Moderate (C3) → High financial impact

• Low (C2) → Moderate financial impact

• Minimal (C1) → Low financial impact

Integrity Impact:

• Critical (I5) → Catastrophic operational impact

• High (I4) → Critical operational impact

• Moderate (I3) → High operational impact

• Low (I2) → Moderate operational impact

• Minimal (I1) → Low operational impact

Availability Impact:

• Mission Critical (A5) → Catastrophic business impact

• High (A4) → Critical business impact

• Moderate (A3) → High business impact

• Low (A2) → Moderate business impact

• Minimal (A1) → Low business impact

Practical Examples

Example 1: CIA Platform Ransomware Risk

Risk Assessment:

risk_id: "RSK-2025-001" risk_name: "Ransomware attack on CIA Platform" asset: "CIA Platform (Production)" asset_value: 200000 # €200K

likelihood: category: "Likely" probability: 0.70 aro: 0.70 evidence: "Industry data (DBIR 2024), phishing susceptibility"

impact: financial: 180000 # €180K recovery costs operational: "72-hour downtime" reputational: "National media coverage" regulatory: "GDPR breach notification required" category: "Catastrophic" score: 6

risk_score: 420 # 0.70 × 6 × 100 risk_level: "Critical"

financial_analysis: sle: 180000 # €200K × 0.9 ale: 126000 # €180K × 0.70

current_controls:

• "Firewall"
• "Antivirus"
• "User awareness training"

proposed_treatment: strategy: "Mitigate" controls: - "Multi-factor authentication (MFA)" - "Endpoint detection and response (EDR)" - "Immutable backups (3-2-1 rule)" - "Email security gateway" control_cost_annual: 15000 # €15K residual_likelihood: 0.07 # 90% reduction residual_risk_score: 42 # 0.07 × 6 × 100 residual_risk_level: "Minimal"

cost_benefit: ale_reduction: 113400 # €126K - €12.6K net_benefit: 98400 # €113.4K - €15K roi: 656 # 656% ROI recommendation: "IMPLEMENT IMMEDIATELY"

approval: risk_owner: "CEO" approval_date: "2025-01-25" next_review: "2025-04-25"

Example 2: Black Trigram No Authentication Risk

Risk Assessment:

risk_id: "RSK-2025-015" risk_name: "No authentication system risk" asset: "Black Trigram Gaming Platform" asset_value: 10000 # €10K

likelihood: category: "Rare" probability: 0.12 aro: 0.12 evidence: "No user accounts, public content only"

impact: financial: 500 # €500 reputation recovery operational: "Minimal—frontend only" reputational: "Limited local impact" regulatory: "None—no personal data" category: "Low" score: 2

risk_score: 24 # 0.12 × 2 × 100 risk_level: "Minimal"

financial_analysis: sle: 5000 # €10K × 0.5 (moderate exposure) ale: 600 # €5K × 0.12

treatment: strategy: "Accept" rationale: "Low confidentiality classification. All content is public educational material. No user-specific operations." controls_considered: - "Authentication system: €8K/year" - "Cost-benefit: Negative ROI (€7.4K loss)" residual_risk: "Same as inherent risk"

risk_acceptance: documented_in: "Risk_Register.md" approved_by: "CEO" review_frequency: "Annual" trigger_conditions: - "Introduction of user accounts" - "Processing of personal data" - "User-generated content features"

Compliance Mapping

Risk Assessment Component ISO 27005 NIST RMF CIS Controls v8

Risk identification Clause 8.2 Categorize 4.1 Asset Management

Likelihood assessment Annex C Assess 4.1 Risk Assessment

Impact assessment Annex C Assess 4.2 Risk Analysis

Risk calculation Clause 8.3 Assess 4.2 Risk Analysis

Risk treatment Clause 8.4 Select + Implement 4.3 Risk Response

Risk acceptance Clause 8.4.4 Authorize 4.4 Risk Approval

Monitoring & review Clause 9 Monitor 4.5 Risk Monitoring

Standards & Policy References

Core Hack23 ISMS Policies:

• Risk Assessment Methodology - Quantitative framework

• Risk Register - Live risk tracking

• Classification Framework - Impact assessment

• Asset Register - Asset valuation

• Threat Modeling - Threat identification

All Hack23 ISMS Policies: https://github.com/Hack23/ISMS-PUBLIC