Understanding Cyber Risk

The Questions That Matter

A strong cybersecurity risk assessment helps teams understand what truly matters, where real risks exist, and how to prioritise action. It provides clarity around assets, threats, and business impact, enabling practical and informed security decisions.

Because the number of possible security controls and solutions is effectively endless, risk assessment helps organisations focus on the controls that are most relevant and applicable, and that deliver the greatest return on investment.

When done well, a risk assessment highlights what needs attention now, what should be tackled next, and what can wait—so security work is planned and prioritised instead of being driven by the latest issue or the loudest request.

The questions below outline the key areas a good risk assessment should address

• What do we need to protect?
  Information, systems, infrastructure, applications, people, and services that the organisation relies on to operate and deliver value.

• Which of these are most critical to the business?
  Assets whose loss or compromise would significantly impact safety, regulatory compliance, revenue, reputation, or day-to-day operations.

• What could realistically go wrong?
  Events or threat scenarios that could reasonably affect these assets, such as cyberattacks, insider activity, system failures, third-party incidents, or environmental disruptions.

• Where are we exposed today?
  Weaknesses in technology, configuration, processes, governance, or human capability that could be exploited or lead to failure.

• How could those threats exploit our weaknesses?
  Ways in which identified threats could take advantage of existing weaknesses to disrupt systems, compromise data, or impact business operations.

• What would be the impact on the business?
  The potential consequences if a risk materialises, including financial loss, operational disruption, safety impacts, legal or regulatory penalties, and reputational damage.

• How likely are these risks to occur or materialise?
  The probability of a risk occurring based on exposure, threat activity, past incidents, and how effective current controls are.

• What protections are already in place?
  Existing preventive, detective, and corrective controls that reduce the likelihood or impact of risks across people, process, and technology.

• What needs to change to reduce risk?
  Additional actions or controls required to lower risk to an acceptable level, such as mitigation, transfer, avoidance, or formal acceptance.

• Which risks should we deal with first?
  Risks that pose the greatest threat to the organisation based on risk level, business criticality, and strategic priorities.

• What obligations must we meet?
  Legal, regulatory, and contractual requirements that influence how risks must be managed and prioritised.

• What level of risk are we prepared to accept?
  The amount of risk the organisation is willing to tolerate before treatment or escalation is required.

• How will risks be tracked and reviewed over time?
  How risks and controls will be monitored, reviewed, and communicated to ensure they remain current and effective.

---

Sources

• Inside Cloud and Security (YouTube) – Pete Zerger
• Kelly Handerhan (YouTube)
• Go Cloud Architects (YouTube) – Mike Gibbs