Prioritise the harm that matters
A cybersecurity risk assessment should help people choose and fund action. It is not an inventory of frightening threats or a spreadsheet filled with unsupported percentages. Connect plausible incidents to the organisation’s real services, people, information and tolerance for disruption.
List the organisation’s critical outcomes, then test scenarios such as account takeover, ransomware, supplier failure, payment redirection, device loss and unintended data disclosure. Prioritise the scenarios with the greatest business impact and weakest prevention, detection or recovery.
Start with business dependency
- Critical service: Which product, customer service, payment, safety or regulatory activity must continue?
- Time: How long can it be unavailable before harm becomes unacceptable?
- Information: Which records must remain confidential, accurate and available?
- Authority: Which accounts can change payments, users, domains, data or security settings?
- Dependency: Which devices, platforms, people, locations and suppliers enable the service?
- Recovery: What copy, skill, access and decision would be required to restore it?
Build scenarios people can understand
| Scenario | Likely route | Business consequence to assess | Evidence to check |
|---|---|---|---|
| Email or cloud administrator taken over | Stolen password, weak recovery or deceptive approval request | Fraud, data access, password resets, impersonation and wider account compromise | MFA method, admin count, alerts, recovery ownership and sign-in logs |
| Ransomware or destructive change | Compromised endpoint, remote access, supplier or privileged account | Operational outage, data loss, investigation, notification and rebuild cost | Backup separation, restore tests, supported software and endpoint controls |
| Supplier outage or breach | Provider failure, malicious access or supply-chain compromise | Loss of service, confidential information, contractual exposure and difficult exit | Data flow, privileged access, resilience, incident terms, exports and alternatives |
| Payment instruction altered | Mailbox compromise, spoofing or social engineering | Direct financial loss and delayed supplier or payroll payment | Independent verification, payment authority, email protection and reporting route |
| Personal data disclosed | Misdirected message, excessive access, lost device or insecure sharing | Harm to people, complaints, response work and possible notification duties | Data inventory, access, encryption, sharing rules, retention and incident plan |
Use relative scoring without false precision
Small teams can use a consistent one-to-five scale for business impact, plausible exposure and the gap in current prevention, detection and recovery. Define each score in plain language and record the evidence. The result is a comparison aid, not a mathematical prediction.
Keep any scenario with intolerable safety, legal, rights, financial or continuity consequences visible even if its likelihood is uncertain. Do not let a low-looking average conceal a failed non-negotiable control.
Turn each priority into a decision
- Reduce it. Add or improve a control with a named owner, evidence and target date.
- Avoid it. Stop the activity, remove unnecessary data or decline a supplier where the risk cannot be controlled proportionately.
- Share or transfer part of it. Use contracts, specialist services or insurance while recognising that accountability and operational impact remain.
- Accept it explicitly. Record who accepted the remaining risk, why, for how long and which change would trigger review.
Framework starting points
Use the NIST Cybersecurity Framework 2.0 to connect governance, identification, protection, detection, response and recovery. Smaller organisations can begin with the NIST small-business CSF resources. Apply country, sector, contractual and insurance requirements separately.
Cybersecurity risk assessment FAQs
How often should a cybersecurity risk assessment be reviewed?
Review it at a planned interval and when important services, suppliers, systems, locations, laws or threat conditions change. A serious incident, near miss, acquisition or new use of sensitive information should also trigger review.
Do I need exact financial values for every cyber risk?
No. Useful ranges and clearly defined impact levels are often better than invented precision. Include operational downtime, harm to people, recovery effort, fraud, contractual consequences and loss of critical information.
What belongs in a cyber risk register?
Record the scenario, affected service and information, business impact, existing controls, evidence, control and recovery gaps, owner, treatment, due date, residual concern, acceptance authority and next review trigger.
Continue your cybersecurity decision
Use the next guide that matches the exposure, control or recovery question you still need to resolve.

