How the Modern Threat Landscape Redefines Security Risk Assessment Practices

1. Characteristics of Security Risk Assessment in the New Era

The rapid expansion of security scope and regulatory requirements has broadened risk‑assessment foundations, objects, concepts, and demand.

1.1 Expansion of Assessment Basis

Updated standards such as GB/T20984 (Information Security Risk Assessment Method) and GB/T31722/ISO/IEC 27005 (Information Security Risk Management).

Regulatory notices and governance actions requiring self‑assessment, e.g., cybersecurity supervision notices, APP governance actions, and related official announcements.

New laws and regulations including the Cybersecurity Law, Data Security Law, Personal Information Protection Law, Data Export Security Assessment Measures, Algorithm Recommendation Management Rules, Cybersecurity Review Measures, and provisional automotive data security regulations.

Security incidents, news, fines, and breach reports that introduce new evaluation criteria.

1.2 Expansion of Assessment Objects

Beyond traditional assets (hosts, networks, systems), assessments now cover product‑level privacy compliance for apps, data‑security and personal‑information impact assessments for business activities, and organizational‑level compliance, system, and management evaluations.

1.3 Expansion of Assessment Concepts

Traditional assessments focus on confidentiality, integrity, and availability. Modern assessments also consider data‑life‑cycle risks, personal‑information impact (PIA), and ethical aspects of algorithms, emphasizing fairness and user‑rights protection.

1.4 Expansion of Assessment Demand

Assessment requests increasingly originate from non‑security departments, partners (e.g., data‑sharing or supply‑chain security), specific incident retrospectives, and a growing proportion of compliance‑driven evaluations, especially around data processing and personal‑information protection.

2. Organization and Practice of Risk Assessment

The author proposes a four‑stage workflow:

Analyze Assessment Tasks : Clarify purpose, objects, and applicable standards based on the originating department’s risk focus.

Prepare Resources : Form a multidisciplinary team (information‑security engineers, legal, product), select appropriate tools (automated platforms or custom spreadsheets), and schedule the assessment timeline.

Implement Assessment : Execute the plan, adapting processes as needed; for internal assessments, allow continuous risk remediation without waiting for a formal phase end.

Risk Management : Conduct risk evaluation and decision‑making, using both standard criteria and recent incident data; recommendations are submitted to the responsible owner, with escalation when consensus cannot be reached.

3. Assessment Closed Loop and Decision Making

3.1 Assessment Closed Loop

For simple outcomes, apply a "fix‑what‑is‑broken, fill‑the‑gap" approach, adding technical measures, policies, or processes. In complex environments, follow the principle of proportional protection, weigh resource dependencies, and align decisions with medium‑ to long‑term technology roadmaps.

Continuous monitoring of remediation results and root‑cause analysis is essential to improve overall security posture. The process should also evolve toward automation and semi‑automation to reduce reliance on individual expertise.

3.2 Dynamic External Environment Impact on Risk Decisions

Decision‑makers must track three external factors:

Updates to laws and regulations (e.g., new or revised Cybersecurity, Data Security, and Personal Information Protection statutes) and subsequent departmental rules or industry standards.

Regulatory notices and inspection requirements, including emerging issues highlighted in cybersecurity incident reports and annual inspection bulletins.

Real‑world security incidents that provide concrete evidence of risk impact, influencing senior‑level risk‑tolerance and mitigation choices.