The most commonly used risk model is the mental model of the person waving their wet finger in the air. Large organizations will have teams dedicated to assessing and re-assessing risk on a regular basis. Small organizations will not lack the need to understand what risks IT faces and how those risks are reflected in the rest of the business. Dark Reading spoke with Jack Jones, Tony Martin-Vegue and Zulfikar Ramzan to get their ideas on best initial steps. We found seven steps that apply to a variety of frameworks.”]
Source: https://www.darkreading.com/application-security/7-steps-to-start-your-risk-assessment