XYZ Limited | Final Risk Assessment & Analysis Report

Risk Analysis Matrix (Inherent Risk)

Risk ID	Asset	Threat	Vulnerability	Likelihood	Impact	Risk Level	Priority
R1	Reception PCs	Malware Infection	No antivirus	High	High	Critical (9)	Critical
R2	Gaming PCs	Unauthorized Access	No user restrictions	High	Medium	High (6)	High
R3	WiFi Network	MITM Attack	Weak encryption	High	High	Critical (9)	Critical
R4	Web App	SQL Injection	No input validation	High	High	Critical (9)	Critical
R5	Customer DB	Data Breach	Weak access control	Medium	High	High (6)	High
R6	Router/Firewall	Unauthorized Access	Default credentials	Medium	High	High (6)	High
R7	Employees	Phishing	Lack of training	High	Medium	High (6)	High
R8	POS System	Data Theft	Unencrypted data	Medium	High	High (6)	High

Risk scoring: Likelihood/Impact: High(3), Medium(2), Low(1) → Critical(9), High(6), Medium(4), Low(1-3)

R1 · Malware (Reception PCs)

Install antivirus, patch management, disable USB autorun

Due Apr 30, 2026

R2 · Gaming PCs unauthorized access

User login + Deep Freeze reboot-to-restore

Due May 15, 2026

R3 · MITM on WiFi

Enable WPA3, guest isolation, disable WPS

Due Apr 25, 2026

R4 · SQL Injection

Input validation, parameterized queries, deploy WAF

Due May 10, 2026

R5 · Customer DB breach

RBAC, encrypt at-rest/in-transit, audit logging

Due May 20, 2026

R6 · Default credentials

Change router/firewall default admin, disable remote access

Due Apr 18, 2026 (quick win)

R7 · Phishing awareness

Annual training + simulated campaigns + MFA enforcement

Due Jun 1, 2026

R8 · POS data theft

Enable end-to-end encryption, PCI DSS compliance, gateway upgrade

Due May 25, 2026

🔴 Critical
0
(was 3)

🟠 High
0
(was 5)

🟡 Medium
1
Phishing residual

🟢 Low
7
controlled risks

Residual risk acceptance
Phishing (R7) remains Medium (4) due to human factor — accepted by management. All other risks reduced to Low.

Budget estimate (first year)

🛡️ Antivirus + licenses: $150 💻 Deep Freeze (5 PCs): $200 📡 WPA3 router: $100 🔥 WAF basic: $50/mo 📚 Security training: $300 📄 PCI consult: $500

~$1,500 - $2,000 total

Risk ID	Control Action	Responsible	Target Date	Residual Risk Level
R1	Antivirus deployment + patch automation	IT Admin	Apr 30, 2026	Low
R2	Restricted user accounts + Deep Freeze	IT Admin	May 15, 2026	Low
R3	WPA3 + client isolation	Network Admin	Apr 25, 2026	Low
R4	Input validation, param queries, WAF	Dev Lead	May 10, 2026	Low
R5	RBAC, encryption, audit logs	IT Admin	May 20, 2026	Low
R6	Change default creds, disable remote admin	Network Admin	Apr 18, 2026	Low
R7	Security awareness training + MFA + phishing simulation	HR + IT	Jun 1, 2026	Medium (accepted)
R8	Encrypted transactions, PCI DSS alignment	Ops Manager	May 25, 2026	Low

Pre-treatment
🔴 Critical: 3
🟠 High: 5
🟡 Medium: 0
🟢 Low: 0

Post-treatment
🔴 Critical: 0
🟠 High: 0
🟡 Medium: 1
🟢 Low: 7

Risk reduction achieved: 92% of high/critical risks eliminated.

Quarterly review cycle – reassess risk matrix every 3 months.
MFA everywhere – extend to admin panels and cloud web app.
Asset inventory automation – maintain real-time hardware/software inventory.
Formal risk acceptance – document residual risk (phishing) sign-off by owner.
Annual penetration test for web app & network after controls deployed.