Cybersecurity matters to companies, from big corporations to small businesses and everyone in between. Data breaches, ransomware, phishing schemes, and more can wreak havoc on a company’s success. And cybersecurity risks are on the rise. The FBI’s Internet Crime Complaint Center (IC3) received almost three times the number of reported cybercrime in 2021 than it did just five years earlier in 2017 (from 301,580 to 847,367).

But it’s not all doom and gloom. As hackers and cyber criminals get more advanced, so do the methods of protecting your business from an attack. Conducting a cybersecurity risk assessment is the first step in ensuring you’re covered. Knowing where you stand and which areas are your biggest weaknesses allows you to prioritize the most important changes to keep your business safe.

In this article, we’ll address:

  • The basics of cyber risk assessment methodology

  • The 5 main types of risk assessment methodologies most common for businesses

  • Some helpful risk assessment methodology example cases

  • How a cybersecurity risk assessment framework can be important for compliance in certain industries

What Is a Risk Assessment Methodology?

Risk assessment in general entails judging the possible risks inherent in a project. More specifically, a risk assessment methodology is the systematic way in which you carry out this evaluation. In cybersecurity, this means the system that’s in place for looking at how your company interacts with the internet and the threats inherent in that interaction from cybercrime.

To create a strategic methodology for risk assessment, you need to have a firm idea of what the risks in cybersecurity are. A handy way to think about risks is with the formula: risk = threat + vulnerability. Let’s break this down a little more.

Threats are the things out there online that can harm your business. They can be thought of in two main categories:

  1. Intentional threats, including things like hackers, phishing, malware, and ransomware.

  2. Unintentional threats, which are almost universally caused by human error. This includes things like employees creating weak passwords, forgetting to update antivirus software or falling prey to a phishing attempt.

Vulnerabilities are the areas of weakness in your company’s IT. They are the gaps in a business's software, hardware, or internal processes that could allow a threat to get in. If there were no chinks in the armor, even the strongest threat wouldn’t have a chance to penetrate. At the same time, if there were no external threats, weak points wouldn’t cause a problem because there would be nothing to defend against. Risk is the way these two elements come together to create the potential for harm to your business assets.

Now that we've explained what a risk assessment is, let's discuss the methodology for implementation. For a business to create their risk assessment methodology, they will need to establish a set of practices for systematically identifying threats to their assets and weaknesses in their security that create potential risk. To be effective, this methodology should be baked into business operations so that it can be consistently applied to keep up with changing risk.

What Are the Five Security Risk Methodologies?

There are different methodological options you can take for risk assessment, the five most common include:

  1. Qualitative

  2. Quantitative

  3. Threat-based

  4. Vulnerability-based

  5. Asset-based


Each method uses a different approach or priority for determining which risks are most pressing. It is not possible to completely avoid all risks, it would be too time and resource intensive to prioritize all risks and continue to run a successful business. Instead, these risk assessment methodologies aim to help systematically identify the most likely or potentially damaging risks, so managing those biggest threats can be prioritized. This means that each methodology will include tradeoffs—known risks that are not prioritized because they are deemed less likely or less costly.

Qualitative Risk Assessment Methodology

Qualitative assessments use your staff’s subjective impressions of how well they could do their jobs if specific parts of the IT infrastructure were to go offline due to a cybersecurity breach. Assessors design questions to avoid bias as much as possible. They then use the answers to rank risks based on how impactful the breaches would be. Each risk is then given a score of high, medium, or low based on these findings.

Quantitative Risk Assessment Methodology

Quantitative assessments rely on calculating monetary values for business assets and the risks that may jeopardize them. This methodology has the benefit of being easy to present and clearly relevant to the finances of a company—making it appealing for presentations to key stakeholders. However, it can be very challenging to calculate exact dollar values for each variable, and often involves a fair amount of subjectiveness, even as it strives for objectivity.

Threat-Based Risk Assessment Methodology

Threat-based assessments look at the ways in which cybercrime happens and prioritize risks based on how common or harmful each type of threat might be to the business's operation. For instance, if social engineering threats like phishing or baiting are deemed the most harmful, a threat-based assessment would prioritize staff training and awareness above hardware or software upgrades.

Vulnerability-Based Risk Assessment Methodology

Vulnerability-based assessments rely on identifying known weaknesses within the company and making changes to those weak spots first. For example, if there is a known unpatched firewall issue, a vulnerability-based methodology would recognize that as a top priority.

Asset-Based Risk Assessment Methodology

Asset-based assessments inventory each asset (hardware, software, infrastructure, and data) for threats and vulnerabilities. This methodology often aligns well with IT departments, since it systematically categorizes each specific area of concern. However, it can overlook many of the human elements of cybersecurity since it only focuses on assets and doesn’t take processes, staff, and policies into account.

What Are the Steps in a Risk Assessment Methodology?

From our discussion above of the different methodologies available for risk assessment, there isn’t just one identical set of steps that will work for everyone. But there are some high-level trends you can expect to see as you work through your methodology.

Let’s look at a cybersecurity risk management example to see what sort of steps you would expect. We’ll use a hypothetical small SaaS marketing business to see what each of the high-level steps might look like in a real business.

  • Assessing - This marketing company inventories their current cybersecurity protections along with their major hardware, software, and data assets. They also research the biggest cybersecurity threats to small businesses in their industry, so they know what they’re up against.

  • Identifying - They realize that their cloud computing systems are under-protected, and that spoofing attacks (bad actors pretending to be someone else as a way to get login data) are a common threat they haven’t trained their staff on.

  • Planning - They plan for external help from a cybersecurity technology company, like Trava, to implement needed cloud computing protections. They also plan monthly staff training or check-ins to ensure everyone stays up-to-date on the risks.

  • Executing - They start working with their external security team and incorporate ongoing support into their budgeting going forward. They allot bandwidth to staff to carry out needed training, so everyone continues to understand and protect against risk.

  • Monitoring - This marketing company builds regular reviews of their cybersecurity into their workflow and company culture. They continue to look for vulnerabilities and changing threats over time.

Compliance and Security Risk Assessment Methodology

Making sure your business is protected online is important for your own internal workings and peace of mind. But for many businesses, it is also a requirement by various compliance agencies. The International Organization of Standardization (ISO) oversees business cybersecurity worldwide, and in the United States, the National Institute of Standards and Technology (NIST) is the government agency most often involved.

Risk Assessment Methodology ISO 27001

ISO 27001 is a voluntary compliance regulation that many businesses choose to follow as it helps instill customer trust and ensures the use of best practices for cybersecurity. The main requirements are addressed in six clauses (4.1-10.2) that cover business practices like:

4.1 - Understanding the Organization and its Context

5.3 - Organizational Roles, Responsibilities & Authorities

6.2 - Information Security Objectives & Planning to Achieve them

7.5 - Documented Information

8.1 - Operational Planning & Control

9.1 - Monitoring, Measurement, Analysis, and Evaluation

10.1 - Nonconformity and Corrective Action

What Is a NIST Risk Assessment?

The NIST cybersecurity risk assessment is a template to give businesses a set of best practices for protecting themselves from cybersecurity threats. It has the same overarching aim as the ISO standards discussed above, but it is put out by the US government instead of an international organization.

A common question around these NIST-based criteria is “What are the 5 areas of the NIST cybersecurity framework?” The answer is:

  1. Identifying risks that could compromise a business's ability to function

  2. Protecting key assets from these risks

  3. Detecting attacks and determining how severely assets were affected

  4. Responding to these attacks quickly to limit the damage done

  5. Recovering lost assets and planning prevention of possible future attacks

How Do You Write a Risk Assessment Methodology?

How you write the document that lays out your business’s risk assessment methodology will depend completely on who you are writing this document for. Each official organization that issues certifications will have very specific submission guidelines and formatting rules. Find those on the website for the relevant compliance agency, like here for the ISO and here for the NIST.

If you are preparing documentation for internal use, to present to staff or executives, you will likely want to write it differently. It may need to be formatted as a cybersecurity best practices handbook for staff training. Or it might live as a presentation, updated and given quarterly at review meetings for the c-suite. When you are trying to determine the best formatting for these types of situations, it can be helpful to ask for a risk management methodology example to better understand expectations. Alternatively, you can consider developing a template for preferred formatting.

Trava: Your Cybersecurity, Made Easy

We know that cybersecurity can be hard to navigate, that’s why we built Trava. We offer comprehensive services for:

That way you can focus on what your business needs while we focus on your online protection.