How do you conduct a risk assessment?
Short answer
A risk assessment identifies assets and their value, the threats and vulnerabilities that could affect them, then estimates risk as a function of likelihood and impact. You can do it qualitatively (high/medium/low, fast and subjective) or quantitatively (SLE × ARO = ALE, data-driven but harder). Frameworks like NIST RMF and ISO 27005 give it structure, and the output feeds risk treatment: mitigate, transfer, avoid, or accept.
Risk assessment is the engine of a security program: it decides where finite budget goes. Interviewers — especially at senior and leadership levels — ask about it to confirm you can reason about risk in terms the business understands, not just technical severity.
The process
- Establish context and scope. What system, business unit, or process are you assessing, and against what risk tolerance?
- Identify assets. Catalog what matters — data, systems, people, processes — and their value to the business.
- Identify threats and vulnerabilities. Pair plausible threat sources (criminals, insiders, nature) with the weaknesses they could exploit.
- Analyze risk. Estimate likelihood and impact for each threat/vulnerability pair to derive a risk level.
- Evaluate and treat. Compare risk against tolerance and choose a treatment for each item.
Qualitative vs quantitative
Qualitative analysis rates risk on scales — high/medium/low or a 1–5 matrix. It is fast, communicates well to non-technical stakeholders, but is subjective. Quantitative analysis puts money on it: Single Loss Expectancy × Annualized Rate of Occurrence = Annualized Loss Expectancy (SLE × ARO = ALE). ALE lets you justify a control by comparing it to the loss it prevents, but it depends on data that is often hard to source. Mature programs blend both — qualitative to triage, quantitative for the top risks and big spending decisions.
Frameworks
NIST RMF (SP 800-37) wraps assessment in a full lifecycle — categorize, select, implement, assess, authorize, monitor. ISO 27005 provides the information-security risk-management process within an ISO 27001 ISMS. Both impose repeatability and auditability.
Risk treatment
The assessment feeds a decision per risk: mitigate (add controls), transfer (insurance, outsourcing), avoid (stop the activity), or accept (formally sign off on residual risk). Acceptance must be a documented business decision, not a default.
What interviewers look for
They want likelihood-times-impact thinking, fluency with SLE/ARO/ALE, knowing when qualitative beats quantitative, a recognized framework, and the four treatment options with risk acceptance as an explicit, owned decision.
Likely follow-ups
- What's the difference between qualitative and quantitative risk analysis, and when do you use each?
- Define SLE, ARO, and ALE and how they relate.
- What are the four risk treatment options after assessment?