A bike is resting against a lamppost without being locked. Is the bike at risk of being stolen? To answer that question, you’d need to find out: Is the bike valuable? Is it in desirable condition? Who would want the bike? What’s the crime rate by the lamppost? Are people around? Is it daytime? Is there a security camera? Also, what effect would it have if someone were to take the bike?

An unlocked bike resting on a lamppost is not a risk, but, in the words of cybersecurity, it is a vulnerability that might be exploited.

So What Is a Risk Assessment?

Software can be used to scan for computer systems’ vulnerabilities – and this is helpful to see. But being aware of these things (like unpatched programs or a misconfigured firewall) is only a good first step to getting at something that can make your organization safer. It’s in fact easy to get overwhelmed by the results of software-generated vulnerability reports.

The critical next step is to perform a risk assessment. Following NIST SP 800-30 guidance a risk assessment takes the raw data of vulnerability assessments and matches that to credible threats and the potential impact, resulting in a record of weighted areas of concern and a roadmap to move forward.

Don’t Be Misled

Relying on software-generated risk statements and scores that are actually showing vulnerabilities can lead to a false picture of what’s really dangerous to your organization. Mistaking the two can lead to a wasteful allocation of money and time; you intended to reduce risk, but addressed only vulnerabilities instead.

To avoid this, software should not be allowed to dictate your information security initiatives. These useful tools were made to discover vulnerabilities in a technology environment, but understanding risk – vulnerability tied to the action of a threat actor – needs specific analysis of your situation.

If you’d like further guidance about uncovering risks and developing a plan to address them, Bryley is available to help at 978.562.6077 or email