A cybersecurity risk analysis identifies and evaluates risks to cybersecurity. Since every processing activity of information potentially carries cybersecurity risks, a register of processing activities (e.g., created for data protection purposes) gives you a good overview of potential risks. Then identify the processed information (such as customer data, production data, etc.) and the IT systems used for processing (Office, ERP system, website, and so forth).

To assess possible damage, categorize the processed information according to the criticality of the protection need (e.g., a business secret would have very high confidentiality, customers' bank account data would have high integrity) – three levels are sufficient for starters (normal - high - very high). To assess the likelihood of occurrence, work with an IT expert who estimates how easily an attacker could successfully attack the information through the IT systems used. Again, a three-level classification is initially sufficient (unlikely - possible - likely).

Now combine the assessments in a risk matrix to easily capture the major risks at a glance. Next, define your risk acceptance level: all risks "smaller" than this level are acceptable for the company; all risks "greater" than this level require treatment – usually through risk mitigation measures.

As time goes on, you can refine the evaluation criteria, for example, by incorporating actual statistical data on hacker attacks and monetary damages or considering qualitative aspects such as the motivation or number of potential attackers.