Risk analysis and assessment transforms the view of identified risks through a realistic economic evaluation of the possible consequences, but also quantification of the cost of implementing the measures needed to eliminate the risk. At this stage, there are a variety of approaches from which the organisation should choose its own, optimal compromise between complex calculation and simple estimation. Organizations covered by the Cybersecurity Act have a directly defined risk analysis methodology. For example, by realistically estimating the likelihood of a threat being realistic, a risk rate matrix for assets can be constructed and the level of risk can be estimated.

Based on the risk level, the organization then decides whether the risk is acceptable or requires the application of measures. The risk treatment also includes evaluating the requirements for applying measures and comparing them with the level of risk and the possible consequences on the organisation for more realistic threats. For risks, the organization makes a conscious and objective choice about the acceptability of the risk, avoids the risk by applying measures, or transfers the risk to third parties.

The main elements of the WebArat risk analysis system:

• Customer-driven risk analysis methodology
• Acceptable level of risk
• Risk management plan
• Modifiable levels of categories and their calculations
• Automated, semi-automated or manual risk analysis