From Assets to Action: A Practical Risk Assessment Walkthrough (With Real Documents)
Risk assessment is one of those things that sounds simple in theory—but once you actually sit down to do it for a real environment, it quickly becomes clear how much structure and discipline it requires.
Instead of just explaining concepts, I recently completed a full sample risk assessment for a small business environment and documented every step. You can explore the full project here:
In this post, I’ll walk through the entire process, the documents I created, and the key lessons from doing this hands-on.
🏢 The Scenario: XYZ Limited
To make this practical, I created a realistic environment:
XYZ Limited — a small café that offers:
- Public Wi-Fi for customers
- A gaming zone (PS5s + PCs)
- Reception systems for billing
- An online ordering web application
This setup is simple—but surprisingly rich from a security perspective.
📌 Step 1: Asset Inventory (Foundation of Everything)
The first document I created was an Asset Inventory.
This included:
- Hardware (PCs, PS5s, routers, switches)
- Software (POS system, operating systems)
- Data (customer database, employee records)
- Services (web application)
🔑 Key Insight:
If you miss an asset here, you miss risks later. Everything depends on this step.
⚠️ Step 2: Threat & Vulnerability Register
Next, I mapped:
- Threats → What can go wrong
- Vulnerabilities → Why it can happen
Examples from the assessment:
- Open Wi-Fi → Man-in-the-Middle attacks
- Web application → SQL Injection
- Reception PCs → Malware infection
- Employees → Phishing attacks
📊 Step 3: Risk Analysis Matrix
This is where things get interesting.
I evaluated each risk using:
- Likelihood (1–5)
- Impact (1–5)
Then calculated:
Risk Score = Likelihood × Impact
Example:
- SQL Injection → 5 × 5 = 25 (Critical)
- Phishing → 4 × 3 = 12 (High)
🔑 Key Insight:
Not all vulnerabilities matter equally—risk analysis helps prioritize what actually matters to the business.
🛡️ Step 4: Risk Treatment Plan (Where Value Is Created)
This is the most important part of the entire process.
For each risk, I defined:
- Treatment strategy (Mitigate, Avoid, Accept)
- Specific controls
- Responsible owner
- Timeline
Example:
- SQL Injection → Input validation + WAF
- Weak passwords → Enforce policy + MFA
- Open Wi-Fi → Network segmentation
🔑 Key Insight:
Identifying risk is easy. Reducing it in a practical, business-friendly way is the real skill.
🔁 Step 5: Continuous Monitoring
Risk assessment is not a one-time task.
For XYZ Limited, I recommended:
- Regular vulnerability scans
- Periodic reassessment
- Monitoring logs and network activity
🧠 What This Project Taught Me
1. Risk Assessment ≠ Pentesting
As someone with a penetration testing background, this was a mindset shift.
- Pentesting → Find vulnerabilities
- Risk assessment → Prioritize based on business impact
2. Business Context Changes Everything
A vulnerability is only important if it affects:
- Revenue
- Customer trust
- Operations
3. Documentation Is Half the Work
Clear, structured documentation:
- Makes findings actionable
- Helps stakeholders understand risk
- Enables decision-making
📂 Final Deliverables
This project includes:
- Asset Inventory
- Threat & Vulnerability Register
- Risk Analysis Matrix
- (Next step: Risk Treatment Plan)
All documents are structured in a professional, report-ready format.
👉 GitHub: https://github.com/saadibabar/riskassessmentsample
👉 Portfolio: https://starstorm.netlify.app
🚀 Final Thoughts
Risk assessment is where technical security meets business reality.
It forces you to answer:
“What actually matters, and what should we fix first?”
If you’re coming from a technical background (like pentesting), I highly recommend practicing this—it’s a highly valuable skill in real-world security roles.
If you’d like feedback on your own risk assessment work or want to collaborate, feel free to reach out.
No comments:
Post a Comment