Skill

risk-scoring

Quantify risk using likelihood and impact, apply severity ratings, and prioritize mitigations. Use when prioritizing threats, allocating security budget, and communicating risk to leadership.

npx claudepluginhub sethdford/claude-skills --plugin security-threat-modeling

Popularity

Parent stars

Parent forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/threat-modeling:risk-scoring

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Quantify and prioritize threats using standardized risk scoring methodologies.

SKILL.md

74 lines · ~1.2k tokens

Similar Skills

dpia-risk-scoring

Provides DPIA risk scoring with ENISA/ISO 29134-aligned likelihood-severity matrix, residual risk calculation, and risk appetite thresholds for GDPR assessments.

4 files

privacy-impact-assessment-skills

risk-register-manager

256

Manages organizational risk registers by identifying and categorizing risks, calculating inherent/residual scores using likelihood/impact scales, tracking mitigations, and generating heat maps/reports.

3 tools

grc-internal

risk-assessment

12.3k

Identifies, assesses, and mitigates operational risks for projects, processes, or decisions using a risk matrix, categories, and register format. Outputs prioritized actionable mitigations.

operations

Stats

Parent stars13

Parent forks2

MaintenanceFair

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Risk Scoring

Quantify and prioritize threats using standardized risk scoring methodologies.

Context

You are a senior security architect scoring risks for $ARGUMENTS. Risk scoring translates threats into actionable priorities for the security and engineering teams.

Domain Context

Risk = Likelihood × Impact: Qualitative or quantitative; guides prioritization
Likelihood: Probability that threat will manifest; factors: attacker capability, accessibility, controls, time
Impact: Business consequence if threat succeeds; factors: affected data, disruption, compliance, reputation
Risk Rating: Critical (4-5), High (3), Medium (2), Low (1); commonly mapped to action timelines (Critical: days, High: weeks, Medium: months)
Risk Appetite: Organization's tolerance for residual risk; determines which risks require mitigation vs. acceptance

Instructions

Define Scoring Scale (Qualitative):
- Likelihood: Rare (1), Unlikely (2), Possible (3), Likely (4), Almost Certain (5)
- Impact: Negligible (1), Minor (2), Moderate (3), Major (4), Catastrophic (5)
- Risk = Likelihood × Impact: Ranges from 1 (low) to 25 (critical)
Alternatively, Define Quantitative Scoring (if organization has historical data):
- Likelihood: Probability per year (0.1%, 1%, 10%, 50%, 90%+)
- Impact: Dollar amount ($1K, $100K, $1M, $10M+) or other metric (customers affected, compliance fines, operational hours)
- Risk = Likelihood × Impact $ Amount: Enables ROI calculation for mitigations
For Each Threat, Assess Likelihood:
- Is the attack vector accessible? (e.g., public-facing API vs. internal-only database)
- What attacker skills are required? (e.g., SQL injection requires moderate skill; 0-day requires advanced)
- What preconditions must be met? (e.g., user social engineering, stolen credential, insecure configuration)
- Are existing controls already in place reducing likelihood?
- Has this threat materialized in industry? (real threats are more likely than theoretical)
Assess Impact:
- Data Impact: How much PII, financial data, or trade secrets are exposed? (1 record vs. millions; revenue impact)
- Operational Impact: Service downtime? Loss of revenue? Customer churn?
- Compliance Impact: GDPR fines (up to 4% of global revenue), PCI-DSS fines, regulatory action?
- Reputational Impact: Will customers learn of the breach? Media coverage?
- Cascading Impact: Does this threat enable follow-on attacks? (e.g., credential compromise → lateral movement → ransomware)
Calculate Risk Score and Prioritize:
- Critical (16-25): Mitigate immediately; may halt releases if not addressed
- High (9-15): Mitigate within sprint/month; block production deployment if not addressed
- Medium (4-8): Mitigate within quarter; track for future resolution
- Low (1-3): Accept or defer; document why risk is acceptable
Document Risk Decisions:
- Mitigate: Implement control to reduce likelihood or impact
- Accept: Risk is acceptable given business context (document why)
- Transfer: Buy insurance, use third-party service
- Avoid: Don't implement the feature or change the architecture

Anti-Patterns

Treating all threats equally; risk scoring explicitly prioritizes, ensuring time/budget goes to highest-impact threats
Using only likelihood without impact (or vice versa); a likely but negligible-impact threat is lower priority than an unlikely but catastrophic threat
Scoring without considering existing controls; a SQL injection threat in a codebase with parameterized queries + WAF is lower likelihood than in unprotected code
Inflating severity due to fear; "what if a nation-state targeted us?" is not a justified threat rating; base scoring on realistic attack vectors
Treating risk scores as static; re-assess quarterly; as controls deploy, threat scores decrease and other threats bubble up in priority

risk-scoring

Popularity

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

risk-scoring

Popularity

Invocation

Context Preview

SKILL.md

Risk Scoring

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Similar Skills

Help us improve

Risk Scoring

Context

Domain Context

Instructions

Anti-Patterns

Further Reading