█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Risk Management and Governance/Risk Assessment
40 minBeginner

Risk Assessment

After this lesson, you will be able to: Identify assets, model threats, score risk on a likelihood-impact matrix.

Risk assessment is structured: catalog what you have, what threatens it, how likely × how bad, plot on a matrix, prioritize.

Prerequisites:What is Risk Management?

Risk assessment workflow

  1. 1

    1. Asset inventory, what do we own that's worth protecting?

  2. 2

    2. Threat modeling, what could go wrong (STRIDE, kill chain)?

  3. 3

    3. Vulnerability identification, pen tests, scans, audits.

  4. 4

    4. Likelihood scoring, frequency × exposure × control gaps.

  5. 5

    5. Impact scoring, financial, regulatory, reputational.

  6. 6

    6. Plot on 5x5 matrix → prioritize top-right (high/high).

💡 Quantitative vs qualitative

Qualitative. Low/Med/High labels (fast, opinionated). Quantitative. Annualized Loss Expectancy (ALE) = SLE × ARO. Hard to estimate but dollar-amount conversations are powerful.

Threat modeling: STRIDE

Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. For each component, walk through STRIDE and note plausible threats.

Quick Check

Likelihood: Low. Impact: Catastrophic. Action?

What do you do?

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←What is Risk Management?
Back to Risk Management and Governance
Security Policies and Standards→