Skip to content

How do you conduct a risk assessment?

Short answer

A risk assessment identifies assets and their value, the threats and vulnerabilities that could affect them, then estimates risk as a function of likelihood and impact. You can do it qualitatively (high/medium/low, fast and subjective) or quantitatively (SLE × ARO = ALE, data-driven but harder). Frameworks like NIST RMF and ISO 27005 give it structure, and the output feeds risk treatment: mitigate, transfer, avoid, or accept.

Risk assessment is the engine of a security program: it decides where finite budget goes. Interviewers — especially at senior and leadership levels — ask about it to confirm you can reason about risk in terms the business understands, not just technical severity.

The process

  1. Establish context and scope. What system, business unit, or process are you assessing, and against what risk tolerance?
  2. Identify assets. Catalog what matters — data, systems, people, processes — and their value to the business.
  3. Identify threats and vulnerabilities. Pair plausible threat sources (criminals, insiders, nature) with the weaknesses they could exploit.
  4. Analyze risk. Estimate likelihood and impact for each threat/vulnerability pair to derive a risk level.
  5. Evaluate and treat. Compare risk against tolerance and choose a treatment for each item.

Qualitative vs quantitative

Qualitative analysis rates risk on scales — high/medium/low or a 1–5 matrix. It is fast, communicates well to non-technical stakeholders, but is subjective. Quantitative analysis puts money on it: Single Loss Expectancy × Annualized Rate of Occurrence = Annualized Loss Expectancy (SLE × ARO = ALE). ALE lets you justify a control by comparing it to the loss it prevents, but it depends on data that is often hard to source. Mature programs blend both — qualitative to triage, quantitative for the top risks and big spending decisions.

Frameworks

NIST RMF (SP 800-37) wraps assessment in a full lifecycle — categorize, select, implement, assess, authorize, monitor. ISO 27005 provides the information-security risk-management process within an ISO 27001 ISMS. Both impose repeatability and auditability.

Risk treatment

The assessment feeds a decision per risk: mitigate (add controls), transfer (insurance, outsourcing), avoid (stop the activity), or accept (formally sign off on residual risk). Acceptance must be a documented business decision, not a default.

What interviewers look for

They want likelihood-times-impact thinking, fluency with SLE/ARO/ALE, knowing when qualitative beats quantitative, a recognized framework, and the four treatment options with risk acceptance as an explicit, owned decision.

Likely follow-ups

  • What's the difference between qualitative and quantitative risk analysis, and when do you use each?
  • Define SLE, ARO, and ALE and how they relate.
  • What are the four risk treatment options after assessment?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.