The starting point for any risk management is a solid knowledge of the value-added processes and the associated corporate values (subject under consideration). Only when these have been identified and structured, can protection goals be derived that cover group confidentiality, integrity and availability (CIA). The evaluation of a risk also includes the selection of suitable scales for the defined protection goals.

Relevant scales can be, for example, severity and exposure of facilities, systems or processes. If possible influences on the object are then defined, concrete attack vectors can be highlighted and evaluated, for example, from the point of view of cybersecurity and the selected scales. Finally, strategies and measures for the containment and mitigation of the attack vectors are developed and thus form the basis for targeted operational actions.