What is a risk assessment?
To answer this question we must first know what “risk” is.
There are many kinds of risks: financial risks, safety risks, investment risk. But we are talking about Security Risk. In the context of SECURITY, risk is the likelihood that something harmful (a threat) will happen to something of value (an asset). The asset must be vulnerable to the the harmful event.
So a risk is the probability that a threat will exploit the weakness of an asset.
A risk assessment is the process of identifying the actual risk. This done by identifying the threat, the asset, the associated weaknesses and countermeasures and then determining the impact should the threat harm the asset.
Risk identification is done with a risk assessment. NIST SP 800-30, Guide for Conducting Risk Assessments breaks down the entire process of risk determination, risk identification.
As described in the earlier post DIACAP Process:
Risk = ((Vulnerability * Threat) / Countermeasure) * Asset Value at Risk IT Risk
Risk is the likelihood that a threat will compromise the weakness of an asset. So risk identification is based on knowing the threat, the vulnerability and the asset.