Risk management and prioritization
You can't protect everything equally. You don't have the budget, the time, or the people. Risk management helps you decide what to protect first, how much to invest, and when "good enough" is actually good enough.
This isn't about filling out compliance forms. It's about making smart decisions with limited resources.
Why risk management matters for small companies
Without formal risk management, security decisions happen based on:
- Whatever incident just occurred
- What the loudest person in the room thinks
- What the latest news article covered
- What tools vendors are currently selling
This leads to misallocated resources. You might spend $50,000 on an advanced threat detection system while leaving your S3 buckets public. Or train everyone on phishing while ignoring that three people share the admin password.
Risk management provides a framework for answering: "Where should we focus next?"
The basics: what is risk?
In security, risk is calculated as:
Risk = Likelihood × Impact
Likelihood: How probable is this threat? Daily occurrence? Once a year? Once a decade?
Impact: If it happens, how bad is it? Minor inconvenience? Major financial loss? Company-ending?
A threat with high likelihood but low impact (spam emails) requires different treatment than low likelihood but catastrophic impact (ransomware destroying all data).
Risk response options
For any identified risk, you have four choices:
| Response | When to use | Example |
|---|---|---|
| Mitigate | Risk is too high, controls can reduce it | Add MFA to reduce account compromise risk |
| Accept | Risk is low enough, or mitigation cost exceeds benefit | Accept that a non-critical internal tool might have minor downtime |
| Transfer | Someone else can handle the risk better | Buy cyber insurance, use managed security services |
| Avoid | Risk is unacceptable and can't be mitigated | Don't store credit card data; use Stripe instead |
Most security work is mitigation. But knowing when to accept, transfer, or avoid is equally important.
Simplified risk assessment process
Enterprise risk frameworks (ISO 31000, NIST RMF) are comprehensive but overwhelming for small companies. Here's a practical approach you can complete in a day.
Step 1: Identify critical assets (2 hours)
What would hurt most if compromised, destroyed, or leaked?
Asset categories to consider:
| Category | Examples | Questions to ask |
|---|---|---|
| Data | Customer PII, source code, financial records | What data can't be recreated? What data would damage reputation if leaked? |
| Systems | Production servers, databases, SaaS platforms | What systems, if down, stop business? |
| Processes | Payment processing, customer onboarding | What processes handle sensitive operations? |
| People | Key employees with critical knowledge or access | Who has keys to the kingdom? |
| Reputation | Brand, customer trust | What would make customers leave? |
Quick exercise: List your top 10 assets. If you struggle to prioritize, ask: "If this disappeared tomorrow, how long until the company notices? How long until it's a crisis?"
Step 2: Identify threats (1 hour)
What could go wrong? Be specific.
Common threat sources for small companies:
| Threat source | Example scenarios |
|---|---|
| External attackers | Ransomware, credential stuffing, opportunistic scanning |
| Insider threats | Disgruntled employee, accidental data leak, social engineering victim |
| Third parties | Vendor breach, supply chain compromise, SaaS outage |
| Technical failures | Hardware failure, configuration error, software bug |
| Natural/physical | Power outage, flood, theft of equipment |
Don't overthink this. You're not defending against nation-states. Focus on threats that actually affect companies like yours. Check the Verizon DBIR for data on what attacks are most common in your industry.
Step 3: Assess likelihood (1 hour)
For each threat-asset combination, estimate likelihood:
| Rating | Description | Frequency | Example |
|---|---|---|---|
| 5 - Almost certain | Expected to occur | Multiple times per year | Phishing attempts against employees |
| 4 - Likely | Will probably occur | Once per year | Credential stuffing attempt |
| 3 - Possible | Might occur | Once every 2-3 years | Targeted attack on your company |
| 2 - Unlikely | Could occur but not expected | Once per 5-10 years | Insider sabotage |
| 1 - Rare | Exceptional circumstances | Once per 10+ years | Nation-state attack |
Use data when available:
- How many phishing emails did you receive last month?
- How many vulnerability scan attempts in your logs?
- What does industry data say about breach frequency?
When data isn't available, use informed judgment. It's better to estimate than to not assess at all.
Step 4: Assess impact (1 hour)
If the threat materializes, how bad is it?
| Rating | Description | Financial | Operational | Reputational |
|---|---|---|---|---|
| 5 - Catastrophic | Business survival at risk | >$1M or >50% revenue | Months of disruption | Major media coverage, customer exodus |
| 4 - Major | Significant damage | $100K-$1M | Weeks of disruption | Industry coverage, notable customer loss |
| 3 - Moderate | Notable impact | $10K-$100K | Days of disruption | Some customer complaints |
| 2 - Minor | Small impact | $1K-$10K | Hours of disruption | Few notice |
| 1 - Negligible | Minimal effect | Under $1K | Minutes of disruption | No one notices |
Tip: Consider all impact types. A breach might cost $50K in direct response but $500K in lost deals if it hits the news.
Step 5: Calculate and rank risks (30 minutes)
Multiply likelihood × impact to get risk score:
Risk Score = Likelihood (1-5) × Impact (1-5)
Risk levels:
- 1-4: Low (green) → Accept or monitor
- 5-9: Medium (yellow) → Plan mitigation
- 10-14: High (orange) → Prioritize mitigation
- 15-25: Critical (red) → Immediate action required
Example risk assessment:
| Asset | Threat | L | I | Score | Risk level |
|---|---|---|---|---|---|
| Customer database | Ransomware | 3 | 5 | 15 | Critical |
| Customer database | SQL injection | 2 | 5 | 10 | High |
| Source code | Developer laptop theft | 3 | 3 | 9 | Medium |
| Email system | Phishing → account takeover | 4 | 4 | 16 | Critical |
| Marketing website | Defacement | 3 | 2 | 6 | Medium |
| HR data | Insider access abuse | 2 | 4 | 8 | Medium |
| Production servers | DDoS | 3 | 4 | 12 | High |
| Backups | Corruption/deletion | 2 | 5 | 10 | High |
Now you know where to focus: ransomware and phishing-to-account-takeover are your critical risks.
The risk register
A risk register is your living document for tracking risks and their treatment. It doesn't need to be fancy—a spreadsheet works fine.
Risk register template
| ID | Asset | Threat | L | I | Score | Current controls | Treatment | Owner | Target date | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Customer DB | Ransomware | 3 | 5 | 15 | Daily backups, AV | Mitigate: Add network segmentation, EDR | IT Lead | Q1 2025 | In progress |
| R-002 | Phishing | 4 | 4 | 16 | Basic spam filter | Mitigate: Deploy email security gateway, train users | Security Champion | Q1 2025 | Planned | |
| R-003 | Source code | Laptop theft | 3 | 3 | 9 | Full disk encryption | Accept: Current controls sufficient | Dev Lead | N/A | Accepted |
Risk register best practices
-
Review quarterly — Risks change. New threats emerge. Controls mature.
-
Assign owners — Every risk needs one person accountable.
-
Track treatment progress — A risk register that just lists risks is useless. Track what you're doing about them.
-
Keep it simple — 15-25 risks is manageable. 200 risks means you'll never look at it.
-
Include accepted risks — Document why you accepted them. When leadership asks "why didn't we...?" you have the answer.
Risk register tools
| Tool | Cost | Best for |
|---|---|---|
| Google Sheets | Free | Quick start, small teams |
| Notion | Free tier | Visual, easy sharing |
| Jira/Linear | Free tiers | Integration with dev workflow |
| OWASP Threat Dragon | Free | Visual threat modeling |
| SimpleRisk | Free (Community) | Dedicated risk management |
| LogicGate, ServiceNow | Paid | Enterprise GRC needs |
Recommendation for small companies: Start with a spreadsheet. Move to a dedicated tool only when complexity demands it.
The risk matrix: visual prioritization
A risk matrix makes prioritization visual and easy to communicate to leadership.
| Likelihood | Impact 1 | Impact 2 | Impact 3 | Impact 4 | Impact 5 |
|---|---|---|---|---|---|
| 5 — Almost certain | 5 Med | 10 High | 15 Crit | 20 Crit | 25 Crit |
| 4 — Likely | 4 Low | 8 Med | 12 High | 16 Crit | 20 Crit |
| 3 — Possible | 3 Low | 6 Med | 9 Med | 12 High | 15 Crit |
| 2 — Unlikely | 2 Low | 4 Low | 6 Med | 8 Med | 10 High |
| 1 — Rare | 1 Low | 2 Low | 3 Low | 4 Low | 5 Med |
Color coding for presentations:
- Green (Low): Monitor, no immediate action
- Yellow (Medium): Plan mitigation, reasonable timeline
- Orange (High): Prioritize, address within quarter
- Red (Critical): Immediate action, escalate to leadership
Using risk data for prioritization
Prioritizing security initiatives
When deciding between projects, compare their risk reduction:
| Initiative | Cost | Effort | Risks addressed | Risk reduction |
|---|---|---|---|---|
| MFA rollout | $2K/yr | 2 weeks | R-002 (phishing) | 16 → 8 |
| EDR deployment | $10K/yr | 1 month | R-001 (ransomware) | 15 → 10 |
| Security training | $3K | Ongoing | R-002, R-003 | Multiple -2 |
| Network segmentation | $5K | 2 months | R-001 | 15 → 9 |
MFA offers the best risk reduction per dollar. Start there.
Justifying security budget
Risk data makes budget conversations easier:
Before risk assessment: "We need $15K for security tools." → "Why? We haven't had any problems."
After risk assessment: "Our top risk—phishing leading to account takeover—has a score of 16/25. Industry data shows similar companies face $150K average breach cost. A $15K investment in email security and training reduces this risk to 8/25, roughly halving our expected loss."
Accepting risk deliberately
Sometimes the right answer is "accept the risk." But do it consciously:
Risk Acceptance Template
Risk ID: R-003
Risk description: Source code theft via laptop theft
Current risk score: 9 (Medium)
Current controls: Full disk encryption, remote wipe capability
Recommendation: Accept
Rationale:
- Current controls reduce impact significantly
- Additional controls (e.g., no local code) would severely impact productivity
- Cost of additional mitigation exceeds expected loss
Accepted by: [CTO Name]
Date: [Date]
Review date: [Date + 1 year]
Risk assessment for specific scenarios
New vendor evaluation
Before adopting a new SaaS tool:
| Risk factor | Questions | Red flags |
|---|---|---|
| Data exposure | What data will they access? | Access to all customer data when they only need email |
| Authentication | Do they support SSO/MFA? | Password-only authentication |
| Breach history | Have they been breached? | Recent breach, poor response |
| Compliance | Do they have SOC 2/ISO 27001? | No third-party audits |
| Backup/recovery | What's their SLA? Data export? | No export capability |
New feature/project
Before building something new:
- What sensitive data does it handle?
- What authentication/authorization does it need?
- What third parties are involved?
- What's the blast radius if compromised?
- What's the MVP security requirement?
Infrastructure change
Before major changes:
- What existing controls are affected?
- Are new attack vectors introduced?
- What's the rollback plan?
- Has security reviewed the design?
Common mistakes
-
Analysis paralysis — Spending months on a perfect assessment instead of taking action. A rough assessment done in a day beats a perfect one that takes a quarter.
-
Ignoring accepted risks — Writing them down and forgetting. Review quarterly.
-
Treating all risks equally — The whole point is prioritization. If everything is high priority, nothing is.
-
Not involving stakeholders — Risk assessment done in isolation misses business context. Involve product, engineering, and leadership.
-
Static risk register — Risks change. New assets appear. Threats evolve. Review and update regularly.
-
Over-reliance on frameworks — NIST and ISO are useful references, not gospel. Adapt to your context.
-
Forgetting about risk acceptance — Sometimes accepting risk is the right call. Not documenting that decision is the mistake.
-
Impact bias — People focus on high-impact risks even when likelihood is negligible. A once-in-a-century catastrophe may deserve less attention than frequent medium-impact incidents.
Quantifying risk in dollars
Leadership understands money better than risk scores. Convert abstract risks to financial terms.
Simple risk quantification
Annual Loss Expectancy (ALE) = Single Loss Expectancy × Annual Rate of Occurrence
Example: Customer data breach
- Single Loss Expectancy (SLE): $150,000 (response + fines + reputation)
- Annual Rate of Occurrence (ARO): 0.1 (10% chance per year)
- ALE = $150,000 × 0.1 = $15,000/year expected loss
If a $5,000/year control reduces ARO to 0.02:
- New ALE = $150,000 × 0.02 = $3,000/year
- Savings: $15,000 - $3,000 = $12,000/year
- ROI: ($12,000 - $5,000) / $5,000 = 140%
Cost estimation reference
Use these ranges for your calculations (adjust for company size):
| Impact type | Small company estimate | Notes |
|---|---|---|
| Incident response | $10K-50K | Internal time + forensics |
| Legal/regulatory | $20K-200K | Varies by jurisdiction, data type |
| Customer notification | $1-5 per record | Required in most jurisdictions |
| Credit monitoring | $10-20 per person/year | Often required after PII breach |
| Downtime | $1K-50K per hour | Depends on business model |
| Reputation | 5-20% revenue impact | Hard to quantify, real nonetheless |
Presenting risk in business terms
| Technical framing | Business framing |
|---|---|
| "SQL injection risk is high" | "An attacker could steal our entire customer database" |
| "Risk score 16 out of 25" | "We estimate $75K expected annual loss from this risk" |
| "We need a WAF" | "For $10K/year, we can reduce breach probability by 60%" |
| "CVSS 9.8 vulnerability" | "This vulnerability allows attackers to take over our servers within hours of being scanned" |
STRIDE: threat modeling for developers
For development teams, STRIDE provides a systematic way to identify threats. Use it when designing new features or reviewing architecture.
STRIDE categories
| Threat | What it means | Example | Mitigation approach |
|---|---|---|---|
| Spoofing | Pretending to be someone else | Using stolen credentials | Authentication, MFA |
| Tampering | Modifying data or code | SQL injection, changing prices | Input validation, integrity checks |
| Repudiation | Denying actions taken | User claims they didn't make a transaction | Audit logs, non-repudiation |
| Information disclosure | Exposing sensitive data | Database dump, verbose errors | Encryption, access control, error handling |
| Denial of service | Making system unavailable | DDoS, resource exhaustion | Rate limiting, redundancy |
| Elevation of privilege | Gaining unauthorized access | Admin account takeover, privilege escalation | Least privilege, authorization checks |
Quick STRIDE analysis
For any new feature, ask:
1. SPOOFING: How do we verify user identity?
- Can attackers impersonate legitimate users?
- Is session management secure?
2. TAMPERING: Can data be modified in transit or storage?
- Is input validated?
- Are integrity checks in place?
3. REPUDIATION: Can we prove what happened?
- Are actions logged?
- Are logs tamper-proof?
4. INFORMATION DISCLOSURE: What data could leak?
- Are errors too verbose?
- Is sensitive data encrypted?
5. DENIAL OF SERVICE: Can this be abused?
- Are there rate limits?
- What happens under load?
6. ELEVATION OF PRIVILEGE: Can users do more than allowed?
- Is authorization checked at every level?
- Are admin functions properly protected?
Resources for threat modeling
- OWASP Threat Modeling — Comprehensive guide
- Microsoft Threat Modeling Tool — Free visual tool
- Threagile — Open-source, code-based threat modeling
- OWASP Threat Dragon — Free, open-source diagramming
Real-world incidents: when risk wasn't managed
Case 1: The forgotten S3 bucket
A startup had "public S3 buckets" on their risk register as "Medium" risk. They planned to fix it "next quarter" for three quarters in a row. A security researcher found the bucket containing 2M customer records and reported it to journalists before notifying the company.
Cost: $400K in incident response, legal fees, and customer churn. The $2K and 2 days to fix it had seemed "too expensive" for too long.
Case 2: The accepted risk that bit back
A SaaS company accepted the risk of not having MFA on their admin console because "it's behind VPN." An employee's laptop was compromised via phishing. The attacker accessed the VPN, then the admin console. No MFA meant full access to customer data.
The risk register said: "Accepted - VPN provides sufficient protection." The risk review hadn't questioned whether VPN alone was enough.
Case 3: Risk assessment that saved the deal
A fintech startup was in M&A discussions. The acquirer's due diligence included security review. Because the startup had:
- Documented risk register
- Clear risk ownership
- Regular quarterly reviews
- Formal acceptance documentation for known gaps
The acquirer's security team spent 2 days instead of 2 weeks on assessment. The startup demonstrated security maturity beyond their size, contributing to a higher valuation.
Case 4: Priorities without risk assessment
A company invested $50K in advanced threat detection while having:
- 30% of systems unpatched
- No MFA on critical systems
- Shared admin passwords
Their first "detected threat" was an attacker already inside, using those shared credentials. The expensive detection tool worked perfectly—it detected the breach that basic hygiene would have prevented.
Risk communication: making it real
The scenario technique
Instead of abstract risk scores, tell stories:
Abstract: "Risk R-002: Phishing leading to account compromise. Likelihood 4, Impact 4, Score 16."
Scenario: "It's Thursday afternoon. A developer clicks a link in an email that looks like it's from GitHub. They enter their credentials. By Friday morning, the attacker has cloned all our private repositories, including the one with hardcoded API keys. They've accessed our AWS account and downloaded customer data. Our first indication is a tweet from a security researcher saying our data is for sale."
Scenarios make risk visceral. Leadership remembers scenarios.
Risk appetite statements: examples
Get leadership to approve explicit risk appetite. Examples:
Conservative (regulated industry):
"We will not accept any risk rated 10 or above. All medium risks (5-9) must have documented mitigation plans with 90-day timelines. No production system may have known critical or high vulnerabilities for more than 7 days."
Balanced (typical tech company):
"Risks rated 15+ require C-level approval for acceptance. Risks rated 10-14 require VP approval. All high and critical risks must have mitigation plans. We accept that some medium risks will exist; they require quarterly review."
Aggressive (early-stage startup):
"We prioritize speed to market. Risks rated 20+ require founder approval. We consciously accept higher risk in exchange for velocity, but document our decisions for future reference. No customer data exposure risks are acceptable regardless of score."
Heat maps for presentations
Visual risk presentations work better than tables:
Company Risk Heat Map — Q1 2025
| Likelihood | Impact: Low | Impact: Med | Impact: High |
|---|---|---|---|
| High | — | Email phishing | Customer DB |
| Med | Website | Laptop theft | Source code |
| Low | — | — | DDoS |
Focus areas: Customer DB protection, email security. Acceptable risks: website defacement (low likelihood/impact).
Expert tips
The "3-in-30" review
Can't do a full assessment? Do "3-in-30":
- Identify your top 3 assets
- For each, name the top 3 threats
- Score them in 30 minutes
This gives you 9 risk items covering your most critical areas. Better than nothing.
Use threat intelligence to calibrate likelihood
Don't guess likelihood in a vacuum:
- Check Verizon DBIR for your industry
- Review CISA alerts for active exploits
- Monitor Have I Been Pwned for credential exposures in your domain
The "newspaper test" for impact
When estimating impact, ask: "Would this make the news?" If yes, it's probably a 4 or 5.
Risk appetite statement
Get leadership to define risk appetite: "We will not accept risks above [score X] unless explicitly approved by [role]." This gives you clear escalation criteria.
Example:
"Risks scoring 15 or above require CEO approval for acceptance. Risks scoring 10-14 require CTO approval. Risks below 10 can be accepted by department heads."
Connect risks to OKRs
Map security risks to company objectives:
- "Our Q1 goal is $2M ARR" → "A breach would delay sales cycles by ~2 months"
- "We're launching in the EU" → "GDPR violation fines could be 4% of revenue"
This makes security relevant to business priorities.
Workshop: conduct your risk assessment
Part 1: Asset inventory (1 hour)
- List your company's critical assets
- Categorize: Data, Systems, Processes, People, Reputation
- Rank by importance (if you can only protect 5, which 5?)
Deliverable: Asset inventory with top 10 critical assets identified
Part 2: Threat identification (1 hour)
- For each top asset, identify 3-5 relevant threats
- Be specific: "Ransomware via phishing email" not just "cyberattack"
- Use threat intelligence sources to validate
Deliverable: Threat list mapped to assets
Part 3: Risk scoring (1 hour)
- Score each threat-asset pair for likelihood (1-5)
- Score each for impact (1-5)
- Calculate risk scores
- Rank from highest to lowest
Deliverable: Ranked risk list with scores
Part 4: Risk register (1 hour)
- Create a risk register using the template provided
- Document current controls for each risk
- Propose treatment (mitigate, accept, transfer, avoid)
- Assign owners and target dates for high/critical risks
Deliverable: Initial risk register with top 15 risks
Part 5: Risk mitigation plan (1 hour)
- For your top 5 risks, define specific mitigation actions
- Estimate cost and effort for each
- Propose timeline and priorities
- Prepare brief for leadership
Deliverable: Risk mitigation plan with prioritized actions
How to explain this to leadership
The pitch:
"I want to formalize how we make security decisions. Right now, we react to whatever feels urgent. A risk assessment will give us a clear picture of our actual risks—what's likely to happen and how bad it would be. Then we can invest in the things that matter most, not just the things that are loudest."
What to present:
- Top 5 risks with plain-English descriptions
- Current controls and gaps
- Proposed investments with cost and risk reduction
- What you recommend accepting (and why it's okay)
The ask:
"I need 4 hours to complete the initial assessment, and 30 minutes of your time to review the results. After that, quarterly 15-minute reviews to keep it current."
Expected outcome:
"You'll have visibility into our actual security posture and the data to make informed decisions about where to invest."
Conclusion
You can't eliminate all risk. The goal is to make deliberate decisions about which risks to accept, which to reduce, and which to transfer. A risk register makes those decisions explicit instead of implicit.
Start with a spreadsheet and four columns. You can add process later.
What's next
Next: compliance and regulatory requirements — understanding what you're legally required to do and how to turn that into a competitive advantage.