In the risk assessment process, there are several key issues that need to be considered.
First of all, what is the object (or asset) to protect? What is its direct and indirect value?
Second, what are the potential threats to assets, the problems that lead to them, and how likely are the threats?
Third, what weaknesses in assets may be exploited by threats and how easy is it to use?
Fourth, if a threat event occurs, what kind of loss will the organization suffer or what kind of negative impact will it face?
Finally, what kind of security measures should organizations adopt to minimize the risk of losses?
The process of solving these problems is the process of risk assessment.
When carrying out a risk assessment, several correspondences must be considered:
Each asset may face multiple threats
There may be more than one threat source (threat agent)
Each threat may exploit one or more weaknesses