Stop the activity that creates the risk (e.g., disabling a legacy service).
Rank assets based on sensitivity (e.g., Public, Internal, Confidential, Restricted). This ensures you aren't spending $100 to protect a $10 asset. 3. Risk Assessment
Determine the Likelihood of an event and its potential Impact .