Introduction to exercises¶

Experiment with assets, vulnerabilities, and consequences.

Why these exercises matter¶

Risks are easier to understand when you see them concretely. These exercises help teams connect assets to threats to impacts, turning vague concerns into specific risks that can be prioritised and addressed.

How to use this set¶

Work through the exercises in order: What matters → What could break it → How likely, how bad → What you can do → Bringing it together → Building your risk register.

• Focus on practical outputs, not theory.

• Collaborate and discuss: different perspectives reveal hidden risks.

• Keep it simple: use one sheet, one card, or one diagram per exercise.

Outcome¶

By the end of this series, you will have:

• Clear asset inventory

• Identified vulnerabilities

• Assessed likelihood and impact

• Prioritised risks

• Defined treatment options

• A lightweight, actionable risk register

This is a toolkit for hands-on exploration, not a manual. Iterate, adapt, and learn from what unfolds.

Examples¶

• ISO 27001 risk assessment provides the structured approach for information security management systems.

• NIS2 compliance requires understanding risks specific to essential and important entities in critical sectors.