The SEC’s cybersecurity disclosure rules mandating public companies report on their risk management programs has left companies questioning how risk assessments fit into risk management programs.
Many organizations perform cyber assessments by:
- Leveraging a proven controls framework
- Analyzing implemented controls against the framework
- Identifying gaps
- Documenting gap-related risks in a risk register
Unfortunately, this process omits several key cybersecurity risk factors and is more correctly termed a cybersecurity controls assessment.
In contrast, a cybersecurity risk assessment considers an organization’s:
- Inherent cybersecurity risk profile
- Risk tolerance levels or risk appetite
- Common cybersecurity risks
- Controls in place to mitigate cybersecurity risk
- Residual cybersecurity risk after treatment
This assessment approach helps organizations with smaller IT teams, or no IT or security team, manage their security program to prioritize cybersecurity risks.
Below is an in-depth look at key elements of the cybersecurity risk assessment methodology that can help your team create a customized security program that meets the organization’s inherent cybersecurity risk profile and better protects digital assets.
Cybersecurity risk profile
A cybersecurity risk profile provides an understanding of the organization’s operational environment and its attractiveness to threat actors. Questions to ask that help determine risk profile include:
- What kind of data and resources are used? How much does the organization manage? Is financial data involved? If so, how much? Is healthcare data involved? If so, how much?
- Is data being held for customers? Is it confidential? Are there contractual or regulatory obligations to provide certain protections?
- What’s the organization’s public profile? Is it a well-known name? Is the organization easily found online?


