How Modern Security Risk Assessment Evolved: Key Features and Practical Insights

1. Characteristics of Security Risk Assessment in the New Situation

Changes in internal and external requirements have broadened risk assessment in several dimensions.

1.1 Expansion of Assessment Basis

Standards have been updated, such as GB/T20984 information security risk assessment method and GB/T31722/ISO/IEC27005 information security risk management. Regulatory notices and governance actions now require self‑assessment, e.g., network security supervision notices, APP governance actions, and related official announcements. New laws—including the Cybersecurity Law, Data Security Law, Personal Information Protection Law, Data Export Security Assessment Measures, Algorithm Recommendation Management Regulations, Cybersecurity Review Measures, and provisional regulations on automotive data security—also impose specific assessment requirements. Additionally, security incidents, news, and penalties provide new reference points for assessment.

1.2 Expansion of Assessment Objects

Beyond traditional assets like hosts, networks, and systems, assessments now cover other dimensions: APP privacy compliance, data security assessments, personal information impact assessments, as well as organizational compliance, system‑level, and management evaluations.

1.3 Expansion of Assessment Concepts

Traditional assessments focus on confidentiality, integrity, and availability. Modern assessments also consider data lifecycle risks (collection, storage, use, transmission, sharing, destruction), personal information impact (PIA), and technology ethics such as algorithmic fairness, automated decision‑making, and user rights.

1.4 Expansion of Assessment Demand

Assessment requests increasingly originate from non‑security departments, partners (e.g., data sharing, supply‑chain security), specific incident reviews, and compliance needs, especially concerning data processing and personal information protection.

2. Organization and Practice of Risk Assessment

The assessment process can be divided into four stages: task analysis, resource preparation, implementation, and risk management.

2.1 Task Analysis

Identify the originating department, the risk focus, and define the scope, objectives, and applicable assessment criteria.

2.2 Preparation of Resources

Form a multidisciplinary team (information security, legal, product) and select appropriate tools—automated solutions for mature domains or customized questionnaires for emerging areas. Determine the assessment timeline to balance thoroughness with resource constraints.

2.3 Implementation

Execute the assessment following a project‑management‑like approach, allowing flexible adjustments based on findings and assessment type.

2.4 Risk Management

Assessment results feed into risk evaluation and decision‑making. Evaluation considers both standards and real‑world incidents; decisions are made by responsible owners, with escalation when consensus cannot be reached.

3. Risk Assessment Loop and Decision

Effective risk management requires closing the assessment loop and making informed decisions.

3.1 Assessment Loop

For simple outcomes, apply corrective actions, supplement missing controls, and update technical measures, management policies, and processes. For complex environments, follow the principle of proportional protection, weigh resource dependencies, and align with long‑term technical roadmaps.

Continuous monitoring of remediation results and root‑cause analysis drives security improvement. Optimizing assessment methods—balancing flexibility with standardization—and integrating automation or semi‑automation enhances resource efficiency.

3.2 Influence of Dynamic External Environment on Decision‑Making

Decision‑making must account for external changes: new or revised laws (e.g., Cybersecurity Law, Data Security Law, Personal Information Protection Law) and subsequent departmental rules; updated regulatory notices and inspection requirements; and real‑world security incidents that provide persuasive evidence for management.