Detection, Response & GRC
Risk Assessment
4 min read
Risk assessment skills demonstrate strategic thinking in security interviews. This lesson covers methodologies, frameworks, and practical application.
Risk Fundamentals
The Risk Equation
RISK = THREAT × VULNERABILITY × IMPACT
Where:
• Threat: Who/what could exploit a vulnerability
• Vulnerability: Weakness that could be exploited
• Impact: Consequence if exploitation succeeds
Risk vs Vulnerability vs Threat
| Concept | Definition | Example |
|---|---|---|
| Threat | Potential source of harm | Nation-state actors, ransomware gangs |
| Vulnerability | Weakness that can be exploited | Unpatched software, misconfigurations |
| Risk | Likelihood × Impact | SQL injection in customer database |
Quantitative vs Qualitative Risk Assessment
Qualitative Assessment
| Likelihood | Impact | Risk Level |
|---|---|---|
| High | High | Critical |
| High | Medium | High |
| Medium | High | High |
| Medium | Medium | Medium |
| Low | Medium | Low |
| Low | Low | Low |
Quantitative Assessment (FAIR)
Factor Analysis of Information Risk (FAIR):
ANNUAL LOSS EXPECTANCY (ALE) = SLE × ARO
Where:
• SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
• ARO (Annual Rate of Occurrence) = Expected frequency per year
Example:
• Asset Value: $1,000,000 database
• Exposure Factor: 50% (half of data exposed)
• SLE: $500,000
• ARO: 0.1 (once every 10 years)
• ALE: $50,000/year
This justifies spending up to $50,000/year on controls
Risk Assessment Methodology
Step-by-Step Process
1. ASSET IDENTIFICATION
└── What do we need to protect?
└── Crown jewels, critical systems, data
2. THREAT IDENTIFICATION
└── Who might attack?
└── What are their motivations/capabilities?
3. VULNERABILITY ASSESSMENT
└── What weaknesses exist?
└── Technical, process, human
4. IMPACT ANALYSIS
└── What happens if compromised?
└── Financial, reputational, operational
5. RISK CALCULATION
└── Combine likelihood and impact
└── Prioritize by risk level
6. CONTROL RECOMMENDATIONS
└── What can reduce risk?
└── Cost-benefit analysis
Interview Question
Q: "How would you assess the risk of a new third-party integration?"
Structured Answer:
1. UNDERSTAND THE INTEGRATION
• What data will they access?
• What systems will they connect to?
• What permissions are required?
2. ASSESS THE VENDOR
• Do they have SOC 2 Type 2?
• What's their security posture?
• History of breaches?
3. EVALUATE TECHNICAL RISKS
• API security (authentication, rate limiting)
• Data encryption in transit and at rest
• Network segmentation
4. ASSESS DATA RISKS
• Data classification of shared info
• Compliance implications (GDPR, HIPAA)
• Data retention and deletion
5. DETERMINE BUSINESS IMPACT
• What if the vendor is breached?
• What if integration fails?
• Dependency and business continuity
6. RECOMMEND CONTROLS
• Least privilege access
• Monitoring and alerting
• Contractual security requirements
• Exit strategy
Risk Treatment Options
The Four T's
| Option | Description | When to Use |
|---|---|---|
| Treat | Implement controls to reduce risk | Risk exceeds tolerance, controls cost-effective |
| Tolerate | Accept the risk | Risk within tolerance, controls too expensive |
| Transfer | Share risk with third party | Insurance, outsourcing |
| Terminate | Eliminate the activity causing risk | Risk too high, no effective controls |
Control Selection
# Simplified control cost-benefit analysis
def evaluate_control(control, risk):
control_cost = control.implementation_cost + control.annual_maintenance
risk_reduction = risk.ale_before - risk.ale_after
roi = (risk_reduction - control_cost) / control_cost * 100
if roi > 0:
return f"Recommended: {roi:.0f}% ROI"
else:
return f"Not recommended: Negative ROI"
# Example
control = Control(
name="WAF Implementation",
implementation_cost=50000,
annual_maintenance=20000
)
risk = Risk(
name="SQL Injection",
ale_before=150000, # $150K annual loss without control
ale_after=15000 # $15K with control (90% reduction)
)
# ROI = (135000 - 70000) / 70000 = 92.8%
Risk Registers
Structure
risk_register:
- id: RISK-001
name: "Credential Stuffing Attack"
category: "Application Security"
description: "Attackers use leaked credentials to access accounts"
assessment:
inherent_likelihood: High
inherent_impact: High
inherent_risk: Critical
current_controls:
- "Rate limiting on login endpoint"
- "Account lockout after 5 failures"
residual_assessment:
residual_likelihood: Medium
residual_impact: High
residual_risk: High
recommended_controls:
- control: "Implement passwordless authentication"
cost: "$100,000"
risk_reduction: "High → Low"
owner: "Security Engineering"
review_date: "2026-03-01"
status: "Open"
Risk Communication
Presenting to Leadership
EXECUTIVE SUMMARY FORMAT:
1. TOP RISKS (3-5)
• Business impact in dollars
• Likelihood in understandable terms
• What we're doing about it
2. RISK TRENDS
• What's improving
• What's getting worse
• New risks emerging
3. RESOURCE REQUESTS
• What we need
• Why we need it
• Expected risk reduction
4. KEY METRICS
• Vulnerability counts by severity
• Time to remediate
• Security incidents this quarter
Interview Question
Q: "How do you explain security risk to non-technical executives?"
Answer:
USE BUSINESS LANGUAGE:
• "Risk" not "vulnerability"
• "Financial impact" not "CVE score"
• "Likelihood" not "attack vector"
USE ANALOGIES:
• "This is like leaving the office unlocked at night"
• "Insurance against a specific type of theft"
QUANTIFY WHEN POSSIBLE:
• "A breach of this type costs similar companies $X"
• "Reducing this risk would cost $Y annually"
• "ROI of 300% over three years"
PROVIDE OPTIONS:
• "We can reduce this risk by 80% for $X"
• "Or we can accept the risk with these conditions"
Risk-Based Prioritization
Vulnerability Prioritization Framework
Priority Score = (CVSS × Asset Criticality × Exploitability) / Compensating Controls
Where:
• CVSS: 0-10 base score
• Asset Criticality: 1-5 (crown jewel = 5)
• Exploitability: 1-3 (in wild = 3, PoC = 2, theoretical = 1)
• Compensating Controls: 1-3 (strong = 3, weak = 1)
Example:
CVE-2024-XXXX on production database server
• CVSS: 9.8
• Asset Criticality: 5 (contains customer data)
• Exploitability: 3 (active exploitation)
• Compensating Controls: 1 (no network segmentation)
Priority = (9.8 × 5 × 3) / 1 = 147 → CRITICAL
Interview Tip: When discussing risk, always tie it back to business impact. Show that you understand security exists to enable business objectives, not just to prevent bad things.
In the next module, we'll cover behavioral questions and salary negotiation. :::