Risk assessment identifies what can go wrong and how bad it would be. Prioritize protection based on risk.
Risk = Threat x Vulnerability x Impact
Threat: Who might attack? Script kiddies, nation states, insiders.
Vulnerability: Unpatched software, misconfigured systems, untrained users.
Impact: Financial loss, reputation damage, regulatory fines.
Assessment steps:
Identify assets
Identify threats
Identify vulnerabilities
Estimate likelihood and impact
Prioritize controls