Risk Assessment identifies and evaluates risks to organizational assets. The process inventories assets, identifies threats and vulnerabilities, estimates likelihood and impact, and calculates risk levels. Results inform decisions about which risks to address and how to allocate security resources.
Quantitative assessment assigns monetary values using formulas like Annual Loss Expectancy (ALE = SLE × ARO). Qualitative assessment uses categories like high, medium, and low. Most organizations use a combination, applying quantitative methods where data exists and qualitative elsewhere.
CISSP Relevance
Domain 1 (Security and Risk Management) covers risk assessment methodology extensively. Know quantitative formulas (SLE, ARO, ALE, EF), qualitative approaches, and when each is appropriate. Understand how risk assessment feeds into risk treatment decisions and security program priorities.
The comprehensive guide is NIST SP 800-30 Guide for Conducting Risk Assessments.
Related terms: Risk Management, Business Impact Analysis