How to Approach Risk Assessments at your Organization

Dan Carpenter
February 1, 2023
7 min read
Digital crime by an anonymous hacker

Risk assessment is a key facet of organizational security.

While some businesses may need to undergo a type of assessment in order to ensure compliance, others may be motivated by the thought of increasing security and safeguarding against threats.

Whichever category your company falls into, performing a risk assessment can be extremely helpful to keep your organization moving forward securely.

This article is meant to outline the general approach your organization should follow to keep secure.

Vulnerability assessments vs. penetration testing

Knowing the difference between vulnerability assessments and penetration testing is helpful when determining where to start your assessment.

Although penetration testing is a helpful tool, it is not always the correct first step based on your organization’s maturity level.

Overall, vulnerability assessments identify issues over their scope, while pen testing shows that those vulnerabilities can be exploited to gain access.

As a result of this difference, pen testing relies on human skills, processes, and tactics and less on automated tools.

What is a vulnerability assessment?

A vulnerability assessment generally takes place over a longer time period and consists of looking at specific points in time along the way.

It can be used to identify any trends and changes in security controls.

Vulnerability assessments can also identify possible pathways that could lead to an attack, exploitation, or service interruption using automated tactics.

This is often the lowest cost when it comes to cyber security assessments.

What is penetration testing?

Penetration testing involves simulated attacks testing a company’s security measures and serves to confirm the effectiveness of controls put in place to secure these systems.

This type of testing allows for the controlled exploitation of vulnerabilities.

The goal of pen testing is to demonstrate the types of knowledge and skill levels needed to gain access to an organization’s systems, in addition to the path that was taken to gain that access.

These simulated attacks are used to uncover gaps in an organization’s system security.

It’s important to note that pen testing does not negate other paths to gain access and does not invalidate vulnerabilities that may not have been identified yet.

However, it does show what is possible at a specific point in time.

What should I know about my company’s maturity level?

The maturity level of your organization plays an important role in determining the type of assessment to pursue first.

The following scale is a helpful method for understanding your security posture and where you might begin.

maturity level in cyber security

This type of scale is not meant to penalize an organization but is necessary to determine the appropriate testing and assessment tactics.

For example, if a company was considered to be on level 0 according to the scale, it would not be appropriate to start with a penetration test.

Instead, it would be more useful to start with another series of security assessments. This could be a vulnerability assessment or another type to assess the existence of other threats to the organization.

This would ensure the company has the appropriate security activities in place and is building up its security posture before testing the controls.

What are the types of risk and security assessments?

Four types of risk assessments are vulnerability assessments, interpreted vulnerability assessments, penetration tests, and red team testing.

The following table shows the types of risks and security assessments that an organization could undergo.

Assessment TypesTypical ScopeResultsCostCompany Maturity Level (applies to)
Vulnerability AssessmentEntire network / organizationReport of technical vulnerabilities; not all may be relevant or problematic$0-1
Interpreted Vulnerability AssessmentEntire network / organizationReport with technical vulnerabilities translated into the actual risk to the organization with remediation recommendations$$0-2
Penetration TestVaries from specific system to whole organizationReport on how various combinations of vulnerabilities and exploits were used to gain and maintain access$$$3-4
Red Team TestingOrganization’s “blue” teamReport on the effectiveness of the controls and responsiveness of the internal security team in thwarting persistent access and lateral movement$$$$4

An organization with a maturity level of 0-2 would most likely begin with a vulnerability assessment, whereas an organization with a higher maturity level could begin with a penetration test or red team testing

Is my company well protected from cyber-attacks?

When it comes to security, a layered approach is best to ensure there are other steps in place in case one method is compromised.

Multi-Factor Authentication (MFA) is one example of a layered security approach.

Defense in Depth is another way to think about this. Commonly used in the information security field, Defense in Depth means that an organization does not rely on a single security control but layers of them.

Consider your house as an example.

  • 1 Layer: The front door is closed

This is an example of security through obscurity.

Potential “attackers” do not know if the door is locked. They only know that it is closed.

  • 2 Layers: The front door is closed, and the standard knob is locked

This still requires the “attacker” to test the door to see if it is locked.

However, they must only defeat 1 additional control to gain access.

  • 3 Layers: The front door is closed, the standard knob is locked, and the deadbolt is locked

Adding the deadbolt lock has significantly improved the security posture in this example.

The second layer of the lock requires significantly more effort to defeat.

  • 4 Layers: The front door is closed, the standard knob is locked, the deadbolt is locked, and the alarm system is on

Now, we have significantly improved the security posture with the implementation of the alarm system.

The attacker would need to breach a second system entirely in addition to breaching the physical door.

This scenario is similar to the tactics most cyber attackers use.

They search for the path of least resistance, so after finding that the door is locked, most will simply move on.

However, it’s important to note that a motivated attacker will persist, which is a key distinction when scoping an assessment.

Penetration Test Questionnaire

If you believe that your organization is of the appropriate maturity level to pursue penetration testing, reviewing a questionnaire is helpful in determining the scope of the project.

Download our free penetration testing questionnaire so you can get started.

Of course, we’re able to help further if you need an outside organization to help assess your current security protocols.

Meet Dan Carpenter


As the President of IT Services, Dan provides excellent leadership to his team of over 170 technology professionals. He plays a large role in mentoring his team, helping individuals achieve career goals, and providing quality solutions to our customers.

Discover and Do More With Business Technology!

Get monthly business technology tips directly to your inbox.

Related Posts

Let's Build Something Great Together

Contact Us

Leave a Reply

Your email address will not be published. Required fields are marked *