Risk Management

NIST - The National Institute of

Standards and Technology
⚫ NIST is a non-regulatory Federal agency with the mission
of developing and promoting measurement, standards and
technology to enhance productivity and improve quality of
life
⚫ They invent
⚫ They develop
⚫ They set standards
 Pertinent NIST Publications

⚪ SP 800-12 An Introduction to Computer

Security: The NIST Handbook
⚪ SP 800-18 Guide for Developing Security
Plans for Information Technology Systems
⚪ SP 800-26 Security Self-Assessment Guide
for Information Technology Systems
⚪ SP 800-30 Risk Management Guide for
Information Technology Systems
 NIST Says
It’s a Management Function

⚫ The goal of Risk Management is to protect

the organization and its ability to perform
its mission
⚫ The focus is the mission; not IT assets
⚫ Risk Management, therefore, is an
essential management function of the
organization
 NIST Says
Risk Management has Three Parts

⚫ Risk Assessment - Determining where risks lie,

and how big they are
⚫ Risk Mitigation - Prioritizing, evaluating, and
implementing appropriate risk-reducing controls
⚫ Evaluation and Assessment – Since Risk
Management is continuous and evolving, the past
year’s Risk Management efforts should be assessed
and evaluated prior to beginning the cycle again
 Risk Management Process

Risk Risk
Risk
Assessment Mitigation
Evaluation
 Need for Risk Management

⚫ Allows IT managers to balance the operational and

economic costs of protective measures and achieve
gains in mission capability
⚫ by protecting the IT systems and data that support
their organizations’ missions.
⚫ A well-structured risk management methodology,
when used effectively, can help management identify
appropriate controls for providing the
mission-essential security capabilities.
 Integration of Risk management into SDLC

SDLC Phases Phase Support from risk

Characteristics Management activities
Phase 1—Initiation The need for an IT Identified risks are used to
system is expressed support the development of the
and the purpose and system requirements, including
scope of the IT system security requirements
is documented
Phase The IT system is The risks identified during this
2—Development or designed, purchased, phase can be used to support
Acquisition programmed, the security analyses of the IT
developed, or system that may lead to
otherwise architecture and design tradeoffs
Constructed during system development
SDLC Phases Phase Characteristics Support from risk
Management activities
Phase The system security The risk management process
3—Implementati features should be supports the assessment of the
on configured, enabled, system implementation against
tested, and verified its requirements and within its
modeled operational environment.
Decisions regarding risks
identified must be made prior to
system Operation
Phase The system performs its Risk management activities are
4—Operation or functions. Typically the performed for periodic system
Maintenance system is being modified reauthorization (or
on an ongoing basis reaccreditation) or whenever
through the addition of major changes are made to an
hardware and software IT system in its operational,
and by changes to production environment (e.g.,
organizational new system interfaces)
processes, policies, and
procedures
SDLC Phases Phase Characteristics Support from risk
Management activities
Phase 5—Disposal This phase may involve the Risk management activities
disposition of information, are performed for system
hardware, and software. components that will be
Activities may include disposed of or replaced to
moving, archiving, discarding, ensure that the hardware
or destroying information and and software are properly
sanitizing the hardware and disposed of, that residual
software data is appropriately
handled, and that
system migration is
conducted in a secure and
systematic manner
 Key Roles

⚫ Senior Management
⚫ Chief Information Officer
⚫ System and Information Owners
⚫ Business and Functional Managers
⚫ ISSO
⚫ IT Security Practitioners
⚫ Security Awareness Trainers(security/subject matter
professionals)
 Risk Assessment

⚫ To determine the extent of the potential threat and

the risk associated with an IT system throughout its
SDLC.
⚫ The output of this process helps to identify
appropriate controls for reducing or eliminating risk
during the risk mitigation process
 Risk Assessment Frameworks

⚫ OCTAVE
⚫ FAIR
⚫ NIST 800-30
⚫ ISO 27005
 Information Asset Inventory

⚫ Anything of value that requires protection

⚪ People, Process, Technology
⚪ Information
⚪ Supporting Infrastructure
⚪ Business processes

⚫ Data Sources
⚪ Listing of Enterprise Applications
⚪ Listing of Databases
⚪ Software Inventory
⚪ Hardware Inventory
⚪ System Diagrams
⚪ Technical Design Document
 Taxanomy

People perceive different meaning for different terms.

It is necessary to adopt to common terminology.

⚫ Risk ❑ Risk Scenario

⚫ Threat ❑ Risk Factors
⚫ Vulnerability ❑ Analysis/Assessment/
⚫ Exposure Evaluation
⚫ Probability ❑ Response
⚫ Impact ❑ Control
⚫ Risk Capacity ❑ Inherent risk
⚫ Risk Appetite ❑ Residual risk
⚫ Risk Tolerance ❑ Current risk
⚫ Risk Owner ❑ Risk register
⚫ Risk Custodian ❑ Risk profile
⚫ Risk is the probability that a threat, exploiting a
vulnerability that exists in an asset of certain value, will
cause an undesired impact.
⚫ Impact refers to the magnitude of harm that could be
caused by a threat’s exercise of a vulnerability.

Vulnerability
Threat ASSET Undesired Impact
 External Threat

Malware Unauthorized
Data theft Denail of Service
[Virus, Trojans ]
Terrorist access

Database Network

Environmental Threat
Failure
Power
Physical Threat

OS
Applications Typical IT
Infra Structure
Disasters

Desktops

Facilities
Failure
Storage

HW

Unauthorized Service Data Leak/ Unauthorized

changes disruption loss access

Internal Threat
 Taxonomy

Risk Capacity – Maximum capacity

Risk appetite – Willingness to take risk or acceptable
risk
Risk tolerance – Minor deviation from risk appetite
Risk Owner –is an accountable point of contact for a
enterprise at the senior leadership level, who
coordinates efforts to mitigate and manage the risk.
(CRO)
Risk Custodian – IT team
 Types of controls

⚫ Preventive
⚫ Detective
⚫ Corrective

⚫ Deterrent
⚫ Disciplinary
⚫ Mandatory
⚫ Discretionary
 …Taxonomy continued

⚫ Analysis - “analysis” is defined as the careful study of risk

scenarios, what they do and how they are related to each
other.
⚫ Assessment - Process used determine overall magnitude
of risk and its potential effects
⚫ Evaluation - Process of comparing the estimated risk
against given risk criteria to determine the significance of
the risk
⚫ Risk appetite—The amount of risk, on a broad level, that
an entity is willing to accept in pursuit of its mission
⚫ Risk tolerance—The acceptable level of variation that
management is willing to allow for any particular risk as
it pursues its objectives
https://www.cybersaint.io/blog/risk-register-examples-for-cybersecurity
 Risk Profile- Inherent Risk

Likelihood Consequence
Insignificant Minor Moderate Major Catastrophe

Almost Power Fire

Certain Failure
Likely Virus Hard Disk
Crash
Possible Intrusion Fraud
Unlikely Flood
Rare Tornado Earthquake
 Current Risk
Likelihoo Consequence
d Insignifican Minor Moderat Major Catastrop
t e he
Almost Power Failure Power +
Certain (UPS) UPS
Failure
(Accept)
Likely Hard Disk
Crash
(Backup)
Possible Intrusion (IDS) Fire (FD)
Unlikely Frauds Flood
(Access) (Accept)
Rare Virus Tornado Earth-qu
(AV) (Accept) ake
(Accept)
Risk Response – Typical Options

Response Implies
Tolerate Accept
Terminate Avoid
Transfer Share / Transfer
Treat Mitigate / Control
Turn back Ignore
 STEP 1: SYSTEM CHARACTERIZATION

⚫ define the scope of the effort

⚪ the boundaries of the IT system are identified, along with
the resources and the information that constitute the
system.
⚫ Characterizing an IT system
⚪ establishes the scope of the risk assessment effort
⚪ Explains the operational authorization, boundaries, and
provides information (e.g., hardware, software, system
connectivity, and responsible division or support personnel)
essential to defining the risk.
 System-Related Information

⚫ Full descriptive name of the information system including

associated acronym;
⚫ Unique information system identifier (typically a number or code);
⚫ Location of the information system and environment in which
the system operates;
⚫ Hardware
⚫ Software-System and applications software resident on the
information system;
⚫ System interfaces (e.g., internal and external connectivity)
⚫ Version or release number of the information system;
⚫ Persons who support and use the IT system
⚫ System mission (e.g., the processes performed by the
IT system)
⚫ System and data criticality (e.g., the system’s value or
importance to an organization)
⚫ System and data sensitivity. The functional requirements
of the IT system
⚫ Users of the system
⚫ Current network topology
⚫ Information system owner.
⚫ Interconnected information systems and identifiers for
those systems;
⚫ Technical controls used for the IT system
⚫ Management controls used for the IT system
⚫ Operational controls used for the IT system
⚫ Physical security environment of the IT system
⚫ Environmental security implemented for the IT
system processing environment
 Information-Gathering Techniques

⚫ Questionnaire
⚫ On-site Interviews
⚫ Document Review
⚫ Use of Automated Scanning Tool
 Output from Step 1

Characterization of the IT system assessed, a

good picture of the IT system environment,
and delineation of system boundary
 STEP 2: THREAT IDENTIFICATION

⚫ Threat: The potential for a threat source to exercise

(accidentally trigger or intentionally exploit) a
specific vulnerability.
⚫ Threat-Source: Either (1) intent and method
targeted at the intentional exploitation of a
vulnerability or (2) a situation and method that may
accidentally trigger a vulnerability
⚫ Threat-Source Identification
⚪ Natural Threats
⚪ Human Threats
⚪ Environmental Threats
 Types of cyber adversaries

⚫ Hacktivist
⚫ State sponsored (North Korea, Russia and China)
⚫ Internal threats
⚫ Cyber criminals
 Motivation and Threat Actions
Threat-Source Motivation Threat Actions

Hacker, cracker •Challenge •Hacking

•Ego •Social engineering
•Rebellion •System intrusion, break-ins
•Unauthorized system access
Computer criminal •Destruction of •Computer crime (e.g., cyber
information stalking)
•Illegal information • Fraudulent act (e.g., replay,
disclosure impersonation, interception)
•Monetary gain • Information bribery
•Unauthorized data • Spoofing
alteration •System intrusion
Terrorist •Blackmail •Bomb/Terrorism
•Destruction • Information warfare
•Exploitation • System attack (e.g., distributed
•Revenge denial of service)
• System penetration
• System tampering
Threat-Source Motivation Threat Actions

Industrial •Competitive •Economic exploitation

espionage advantage • Information theft
(companies, •Economic • Intrusion on personal privacy
foreign espionage • Social engineering
governments, • System penetration
other • Unauthorized system access
government (access to classified, proprietary,
interests) and/or technology-related
information)
Insiders (poorly Curiosity •Assault on an employee, Blackmail
trained, Ego • Browsing of proprietary information
disgruntled, Intelligence • Computer abuse
malicious, Monetary gain • Fraud and theft, Information bribery
negligent, Revenge • Input of falsified, corrupted data
dishonest, or Unintentional • Interception
terminated errors and • Malicious code (e.g., virus, logic
employees) omissions (e.g., bomb, Trojan horse)
data entry • Sale of personal information
error, programming • System bugs, System intrusion
error) • System sabotage
• Unauthorized system access
Output from Step 2
A threat statement containing a list of
threat-sources that could exploit system
vulnerabilities
 STEP 3: VULNERABILITY IDENTIFICATION

Vulnerability: A flaw or weakness in system

security procedures, design, implementation, or
internal controls that could be exercised
(accidentally triggered or intentionally exploited)
and result in a security breach or a violation of the
system’s security policy.
Vulnerability Threat-Source Threat Action
Terminated employees’ Terminated Dialing into the
system identifiers (ID) are not employees company’s
removed from the system network and accessing
company proprietary data
Company firewall allows Unauthorized users Using telnet to XYZ server
inbound telnet, and guest ID (e.g., and browsing system files
is enabled on hackers, terminated with the guest ID
XYZ server employees, computer
criminals, terrorists)
The vendor has identified Unauthorized users Obtaining unauthorized
flaws in the security design of (e.g., access to sensitive system
the system; however, new hackers, disgruntled files based on known
patches have not been applied employees, computer system vulnerabilities
to the system criminals, terrorists)
Vulnerability Threat-Source Threat Action
Data center uses water Fire, negligent persons Water sprinklers being
sprinklers to suppress turned on in the data
fire; tarpaulins to center
protect hardware and
equipment from water
damage are not in
place
 Vulnerability Sources

⚫ Previous risk assessment documentation of the IT

system assessed
⚫ The IT system’s audit reports, system anomaly
reports, security review reports, and system test and
evaluation reports
⚫ Vulnerability lists, such as the NIST I-CAT
vulnerability database (http://icat.nist.gov)
⚫ Security advisories, such as FedCIRC and the
Department of Energy’s Computer Incident Advisory
Capability bulletins
⚫ Vendor advisories
⚫ Commercial computer incident/emergency response
teams and post lists (e.g.,SecurityFocus.com forum
mailings)
⚫ Information Assurance Vulnerability Alerts and
bulletins for military systems
⚫ System software security analyses.
 System Security Testing

⚫ used to identify system vulnerabilities efficiently,

depending on the criticality of the IT system and
available resources
⚫ Test methods include
• Automated vulnerability scanning tool
• Security test and evaluation (ST&E)
• Penetration testing
 Development of Security Requirements
Checklist

Security Area Security Criteria

Management Security •Assignment of responsibilities
• Continuity of support
• Incident response capability
• Periodic review of security controls
• Personnel clearance and background investigations
• Risk assessment
• Security and technical training
• Separation of duties
• System authorization and reauthorization
• System or application security plan
Operational Security •Control of air-borne contaminants (smoke, dust,
chemicals)
• Controls to ensure the quality of the electrical
power supply
• Data media access and disposal
Security Area Security Criteria
•External data distribution and labeling
• Facility protection (e.g., computer
room, data center, office)
• Humidity control
• Temperature control
• Workstations, laptops, and stand-
alone personal computers
Technical Security •Communications (e.g., dial-in, system
interconnection, routers)
• Cryptography
• Discretionary access control
• Identification and authentication
• Intrusion detection
• Object reuse
• System audit
⚫ government regulatory and security directives and
sources applicable to the IT system processing
environment
⚪ CSA of 1987
⚪ Federal Information Processing Standards Publications
⚪ OMB November 2000 Circular A-130
⚪ Privacy Act of 1974
⚪ System security plan of the IT system assessed
⚪ The organization’s security policies, guidelines, and standards
⚪ Industry practices.
Output from Step 3
A list of the system vulnerabilities
(observations)7 that could be exercised by
the potential threat-sources
 STEP 4: CONTROL ANALYSIS

⚫ analyze the controls that have been implemented, or

are planned for implementation, by the organization
to minimize or eliminate the likelihood (or
probability) of a threat’s exercising a system
vulnerability.
 Control Methods

⚫ encompass the use of technical and nontechnical

methods
⚪ Technical controls are safeguards that are incorporated
into computer hardware, software, or firmware
⚪ Nontechnical controls are management and operational
controls, such as security policies; operational
procedures; and personnel, physical, and environmental
security.
 Control Categories

⚫ Preventive controls inhibit attempts to violate

security policy and include such controls as access
control enforcement, encryption, and authentication.
⚫ Detective controls warn of violations or attempted
violations of security policy and include such
controls as audit trails, intrusion detection methods,
and checksums.
 Control Analysis Technique

⚫ development of a security requirements checklist or

use of an available checklist will be helpful in
analyzing controls in an efficient and systematic
manner.
Output from Step 4
List of current or planned controls used for
the IT system to mitigate the likelihood of a
vulnerability’s being exercised and reduce
the impact of such an adverse event
 STEP 5: LIKELIHOOD DETERMINATION

⚫ indicates the probability that a potential

vulnerability may be exercised within the construct
of the associated threat environment
⚫ governing factors
⚪ Threat-source motivation and capability
⚪ Nature of the vulnerability
⚪ Existence and effectiveness of current controls
 Likelihood Definitions

Likelihood Level Likelihood Definition

High The threat-source is highly motivated and sufficiently
capable, and controls to
prevent the vulnerability from being exercised are
ineffective.
Medium The threat-source is motivated and capable, but controls
are in place that may
impede successful exercise of the vulnerability.
Low The threat-source lacks motivation or capability, or controls
are in place to
prevent, or at least significantly impede, the vulnerability
from being exercised.
Level Consequence Definition
1 Very high Adversary is almost certain to initiate the treat
event.
2 High Adversary is high likely to initiate the treat event.
3 Moderate Adversary is somewhat likely to initiate the treat
event.
4 Low Adversary is unlikely to initiate the treat event.
Level
5 Consequence
Very Low Definition
Adversary is highly unlikely to initiate the treat event.
1 Very high Error, accident, or act of nature is almost certain to
occur; or occurs more than 100 times a year.
2 High Error, accident, or act of nature is highly likely to
occur; or occurs between 10-100 times a year.
3 Moderate Error, accident, or act of nature is somewhat likely
to occur; or occurs between 1-10 times a year.
4 Low Error, accident, or act of nature is unlikely to occur;
or occurs less than once a year, but more than once
every 10 years
5 Very Low Error, accident, or act of nature is highly unlikely to
occur; or occurs less than once every 10 years
 Likelihood Criteria

Incident occurred in last 1 year OR multiple incidents in last 2 years.

Very Expected to occur in most circumstances;
5
High More than 75% chance of occurring;
Impacting factors outside control of organization
Incident occurred in last 2 years or multiple incidents in last 3 years
Will probably occur in most circumstances;
High 4
50-75% chance of occurring;
Impacting factors outside control of organization
Incident occurred in last 3 years OR multiple incidents in last 5 years
Might occur at some time;
Med (M) 3 25 – 50% chance of occurring;
previous audits/reports indicate non-compliance;
impacting factors outside control of organization
Incident occurred in last 5 years OR multiple incidents in last 7 years
Low (L) 2 Could occur at some time;
less than 25% chance of occurring;
No Incident occurred in last 5 years
Negliglib May only occur in exceptional circumstances;
1
le simple process;
no previous incidence of non-compliance
 STEP 6: IMPACT ANALYSIS

⚫ to determine the adverse impact resulting from

a successful threat exercise of a vulnerability
⚪ Consequences may be expressed in terms of:
Monetary Technical
Operational
Human impact criteria
 Magnitude of Impact Definitions

Magnitude of Impact Definition

Impact
High Exercise of the vulnerability (1) may result in the highly costly
loss of major tangible assets or resources; (2) may significantly
violate, harm, or impede an organization’s mission, reputation,
or interest; or (3) may result in human death or serious injury.
Medium Exercise of the vulnerability (1) may result in the costly loss of
tangible assets or resources; (2) may violate, harm, or impede an
organization’s mission, reputation, or interest; or (3) may result
in human injury.
Low Exercise of the vulnerability (1) may result in the loss of some
tangible
assets or resources or (2) may noticeably affect an organization’s
mission, reputation, or interest.
 IMPACT
Serious financial loss (5% or more ) OR serious effect on reputation with more than one client,
Financial/ reputation/customer experience related impact ::
- Contains customer/ employee Sensitive Personal identifiable information (PII)
- Credit/debit card details
- Financial transactions
- Name, address, Telephone number, Date and place of birth
- Parental information
- Employment and educational information
Very High 5
- Salary information
- UID, Passport details etc.
- Impact on 1% of monthly revenues
Contractual, legal and regulatory impact :
- Very High penalties (Up to 50 Crores), revocation of license etc.
Information which is vital to the success of organization or its products and can provide organization with significant
competitive edge :
- Information about new product/ services to be launched in the market etc.
Moderate financial loss (2-5% )/ moderate effect on reputation related to not more than one client OR impact to the
organization's culture or the strategic initiatives at not more than one location

Financial/ reputation/customer experience related impact :

- Personal information not rated as confidential e.g.: Name and address of customer
- Personal information if not combined with personal data OR Less than 1 % impact on revenues
High 4
Contractual, legal and regulatory impact :
- Penalties due to non compliance to legal/regulatory/ contractual requirements
Information which is vital to the success of or its products and can provide with significant competitive edge :
- Contains information about products available in the marked but also contain product information which should be
known only to authorized employees in organization.
Low financial loss (0.5-2% ) / no effect on reputation of the organization OR no impact the organization's culture or
the strategic initiatives.
Medium 3
Contractual, legal and regulatory impact :
- No penalties but legal/ regulatory/ contractual requirement
No financial loss (<=0.5%) / no effect on reputation of the organization OR no impact the organization's culture or the
strategic initiatives.

Financial/ reputation/customer experience related impact :

- No Personal information or other information of personal or customer OR No Revenue Loss
 Output from Step 6
Magnitude of impact (High, Medium, or Low)
 STEP 7: RISK DETERMINATION

⚫ to assess the level of risk to the IT system

⚫ The determination of risk for a particular
threat/vulnerability pair can be expressed as a
function of
⚪ The likelihood of a given threat-source’s attempting to
exercise a given vulnerability
⚪ The magnitude of the impact should a threat-source
successfully exercise the vulnerability
⚪ The adequacy of planned or existing security controls for
reducing or eliminating risk.
 Risk-Level Matrix

⚫ The final determination of mission risk is derived by

multiplying the ratings assigned for threat likelihood
(e.g., probability) and threat impact
Risk Prioritization

Impact Vs
Likelihood
High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

 Risk-Level Matrix

Threat Impact
Likelihood Low Medium High
(10) (50) (100)

High (1.0) Low Medium High

10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100
Medium (0.5) Low Medium Medium
10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50
Low (0.1) Low Low Low
10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
 Risk
5-Very High Low(5) Medium(10) High(15) Very High(20) Very High(25)
4-High Low(4) Medium(8) High(12) High(16) Very High(20)
Impact 3-Medium low Medium(6) Medium(9) High(12) High(15)
value 2-Low Negligible(2) Low(4) Medium(6) Medium(8) Medium(10)
1-Negligible Negligible(1) Negligible(2) Low Low(4) Low(5)
1-Negligible 2-Low 3-Medium 4-High 5-Very High
Likelihood

5-Very High 20-25

4-High 12-16

3-Medium 6-8

2-Low 4-5

1-Negligible 1-3
 Risk Map / Heat Map
Likelihood Consequence

Insignificant Minor Moderate Major Catastrophe

1 2 3 4 5

Almost Certain 5 10 15 20 25
5

Likely 4 8 12 16 20
4

Possible 3 6 9 12 15
3

Unlikely 2 4 6 8 10
2

Rare 1 2 3 4 5
1
 Risk Heat Map
Likelihood Consequence

Insignificant Minor Moderate Major Catastrophe

Almost H H E E E
Certain High Risk Extreme Risk

Likely M H H E E
Moderate

Possible L M H E E

Unlikely L L M H E

Rare L L M H H
Low Risk
 Description of Risk Level

⚫ This risk scale, with its ratings of High, Medium, and

Low, represents the degree or level of risk to which
an IT system, facility, or procedure might be exposed
if a given vulnerability were exercised.
⚫ Presents actions that senior management, the
mission owners, must take for each risk level.
 Risk Scale and Necessary Actions

Risk Level Risk Description and Necessary Actions

High If an observation or finding is evaluated as a high risk, there is a
strong need for corrective measures. An existing system may
continue to operate, but a corrective action plan must be put in
place as soon as possible.
Medium If an observation is rated as medium risk, corrective actions are
needed and a plan must be developed to incorporate these
actions within a reasonable period of time.
Low If an observation is described as low risk, the system’s DAA
must determine whether corrective actions are still required or
decide to accept the risk.
Output from Step 7
Risk level (High, Medium, Low)
 STEP 8: CONTROL RECOMMENDATIONS

⚫ controls that could mitigate or eliminate the identified

risks, as appropriate to the organization’s operations, are
provided.
⚫ goal of the recommended controls is
⚪ reduce the level of risk to the IT system and its data to an acceptable
level.
⚫ factors to be considered in recommending controls
⚫ Effectiveness of recommended options (e.g., system
compatibility)
⚪ Legislation and regulation
⚪ Organizational policy
⚪ Operational impact
⚪ Safety and reliability.
Output from Step 8
Recommendation of control(s) and alternative
solutions to mitigate risk
 STEP 9: RESULTS DOCUMENTATION

Output from Step 9

Risk assessment report that describes the
threats and vulnerabilities, measures the
risk, and provides recommendations for
control implementation
⚫ https://itsecurity.uiowa.edu/resources/everyone/det
ermining-risk-levels
⚫ https://www.thesslstore.com/blog/cyber-risk-assess
ment/