- ✓IT security risk assessment involves identifying assets, identifying threats to those assets, and evaluating the likelihood and potential impact of each threat.
- ✓Threats can be external, such as hackers and malware, or internal, such as disgruntled employees or accidental data loss.
- ✓A vulnerability is a weakness in a system that a threat actor could exploit; knowing your vulnerabilities is essential for prioritising defences.
- ✓Risk can be expressed as a combination of likelihood and impact, allowing organisations to focus resources on the highest-priority risks first.
- ✓Regular risk assessments are essential because the threat landscape evolves constantly, and new vulnerabilities emerge with every system change.
Listen to the full episode inside the course. Enrol to access all 80 episodes, plus assignments, tutor support and Student Finance funding.
Start learning →Alex: We're starting Unit 5: Security today. This is an enormous topic, but we're beginning with risk assessment. Sam, what does IT security risk assessment involve?
Sam: Risk assessment is the systematic process of identifying what could go wrong with your IT systems, understanding how likely it is to happen, and assessing what the impact would be if it did. The goal is to produce an informed picture of where your security risks are concentrated so you can prioritise where to invest in controls.
Alex: Let's unpack that. What do we mean by assets, threats, and vulnerabilities?
Sam: Assets are the things you're trying to protect: data, systems, applications, networks, hardware, and the services that depend on them. Threats are the things that could harm those assets: hackers, malware, disgruntled employees, natural disasters, accidental deletion. Vulnerabilities are weaknesses in your systems or processes that a threat could exploit: an unpatched operating system, a weak password policy, an unlocked server room.
Alex: How do you actually assess the risk?
Sam: The classic approach is to rate each identified risk on two dimensions: likelihood, how probable is it that this threat will materialise, and impact, how serious would the consequences be if it did. You multiply or combine these scores to get an overall risk rating. High-likelihood, high-impact risks are the ones you address first; low-likelihood, low-impact risks might be accepted without further action.
Alex: What are the main categories of threat that IT systems face?
Sam: External threats include malicious actors attempting to breach systems for financial gain, espionage, or disruption. Malware, including viruses, ransomware, and trojans, is one of the most common external threats. Social engineering attacks, particularly phishing, exploit human psychology rather than technical vulnerabilities. Internal threats include both malicious insiders and well-meaning employees who make mistakes. Physical threats include theft of hardware and unauthorised physical access to systems.
Alex: How do you stay on top of new threats? The landscape changes so quickly.
Sam: Regular threat intelligence is essential. Organisations like the UK's National Cyber Security Centre, the NCSC, publish guidance and advisories about current threats. The CVE database, Common Vulnerabilities and Exposures, catalogues known software vulnerabilities. Penetration testing, where ethical hackers attempt to breach your systems with your permission, is an invaluable way to discover vulnerabilities you didn't know you had.
Alex: Is risk assessment a one-off activity?
Sam: Absolutely not. The threat landscape evolves constantly, your systems change, and your business changes. Risk assessments should be reviewed and updated regularly, and should always be triggered by significant changes to systems or the threat environment. It's an ongoing management activity, not a project with a defined end point.
Alex: Brilliant. Thanks Sam. In the next lesson we look at the actual security solutions available to address these risks.