Security Operations Risk Register Template¶
Use this register to track security operations risks identified through Nexus SecOps assessments, threat intelligence, incident reviews, and ongoing monitoring.
Risk Register Metadata¶
| Field | Value |
|---|---|
| Organization | |
| Risk Owner | |
| Last Updated | |
| Review Cadence | Quarterly |
| Risk Framework | Nexus SecOps v1.0 + NIST SP 800-30 |
Risk Scoring Matrix¶
Likelihood¶
| Score | Label | Description |
|---|---|---|
| 1 | Rare | Unlikely to occur in the next 12 months |
| 2 | Unlikely | Could occur in the next 12 months |
| 3 | Possible | Has occurred in this industry in the past 12 months |
| 4 | Likely | Has occurred at this organization in the past 24 months |
| 5 | Almost Certain | Expected to occur in the next 12 months |
Impact¶
| Score | Label | Description |
|---|---|---|
| 1 | Negligible | No significant operational or business impact |
| 2 | Minor | Limited operational disruption; no regulatory impact |
| 3 | Moderate | Operational disruption; potential regulatory inquiry |
| 4 | Major | Significant data loss/breach; regulatory notification likely |
| 5 | Catastrophic | Extended outage; severe breach; regulatory penalty; reputational damage |
Risk Score = Likelihood × Impact¶
| Impact 1 | Impact 2 | Impact 3 | Impact 4 | Impact 5 | |
|---|---|---|---|---|---|
| Likelihood 5 | 5 | 10 | 15 | 20 | 25 |
| Likelihood 4 | 4 | 8 | 12 | 16 | 20 |
| Likelihood 3 | 3 | 6 | 9 | 12 | 15 |
| Likelihood 2 | 2 | 4 | 6 | 8 | 10 |
| Likelihood 1 | 1 | 2 | 3 | 4 | 5 |
Risk Rating Thresholds: - Critical (20–25): Immediate treatment required - High (12–16): Treatment required within 30 days - Medium (6–10): Treatment within 90 days - Low (1–5): Accept or treat in next planning cycle
Active Risk Register¶
Risk Record Template¶
Risk ID: RISK-[XXX] Date Identified: [Date] Source: ☐ Nexus SecOps Assessment ☐ Incident PIR ☐ Threat Intelligence ☐ Audit ☐ Self-identified
Risk Title: [Short, descriptive title]
Risk Description: [Describe the risk scenario: the threat source, threat event, and potential consequences. Use format: "Due to [vulnerability/gap], [threat actor/event] could [impact], resulting in [consequence]."]
Risk Category:
| Category | ☐ Check |
|---|---|
| Detection gap | ☐ |
| Staff dependency | ☐ |
| Tool availability / single point of failure | ☐ |
| AI/ML model failure | ☐ |
| Compliance gap | ☐ |
| Insider threat | ☐ |
| Supply chain | ☐ |
| Process gap | ☐ |
| Skill / knowledge gap | ☐ |
Nexus SecOps Controls Related: - [Nexus SecOps-XXX — Control Title] - [Nexus SecOps-XXX — Control Title]
Inherent Risk (before controls):
| Value | |
|---|---|
| Likelihood | [1–5] |
| Impact | [1–5] |
| Inherent Risk Score | |
| Inherent Risk Rating | ☐ Critical ☐ High ☐ Medium ☐ Low |
Existing Controls: [Describe what controls are currently in place that reduce this risk]
Residual Risk (after existing controls):
| Value | |
|---|---|
| Likelihood | [1–5] |
| Impact | [1–5] |
| Residual Risk Score | |
| Residual Risk Rating | ☐ Critical ☐ High ☐ Medium ☐ Low |
Risk Treatment Decision: ☐ Mitigate — Implement additional controls ☐ Accept — Risk is within tolerance; no action ☐ Transfer — Insurance or contract ☐ Avoid — Discontinue the activity
Treatment Actions (if Mitigate):
| Action | Owner | Due Date | Status |
|---|---|---|---|
| ☐ Not started | |||
| ☐ In progress | |||
| ☐ Complete |
Risk Owner: [Role / Name] Review Date: [Date] Status: ☐ Open ☐ In Treatment ☐ Accepted ☐ Closed
Pre-Populated Risk Examples¶
The following risks are commonly found in Nexus SecOps assessments. Review each and score for your organization.
Risk ID: RISK-001 Risk Title: Detection Gap — Cloud Identity Attack Techniques
Risk Description: Due to limited detection rules covering cloud identity attacks (Nexus SecOps-047, Nexus SecOps-048), a threat actor could compromise an administrator's cloud identity and conduct lateral movement within cloud tenants without triggering any SOC alert, resulting in data exfiltration or service disruption.
Related Controls: Nexus SecOps-047, Nexus SecOps-048, Nexus SecOps-083 Typical Inherent Likelihood: 4 | Impact: 5 | Score: 20 (Critical) Common Treatment: Implement cloud identity detection rules (BEC, MFA bypass, token theft, impossible travel)
Risk ID: RISK-002 Risk Title: Staff Dependency — Single Detection Domain Expert
Risk Description: Due to reliance on a single analyst who owns a critical detection domain (e.g., OT, cloud, CTI), extended absence or departure of this individual creates a period with no capable oversight of that domain.
Related Controls: Nexus SecOps-205, Nexus SecOps-206, Nexus SecOps-061 Typical Inherent Likelihood: 3 | Impact: 3 | Score: 9 (Medium) Common Treatment: Cross-training program, documentation of domain knowledge, job shadowing
Risk ID: RISK-003 Risk Title: SIEM Availability — Single Point of Failure
Risk Description: Due to no high-availability architecture for the SIEM platform, a platform outage creates a blind period during which attacks cannot be detected, correlated, or alerted on.
Related Controls: Nexus SecOps-015, Nexus SecOps-007 Typical Inherent Likelihood: 2 | Impact: 4 | Score: 8 (Medium) Common Treatment: HA/DR architecture, failover procedure, backup alert mechanisms
Risk ID: RISK-004 Risk Title: AI Model Failure — Anomaly Detection False Positive Surge
Risk Description: Due to model drift in the UEBA/anomaly detection system (Nexus SecOps-177), the model may generate a false positive surge following organizational change (hiring, restructuring, new systems), overwhelming analysts and causing real threats to be missed.
Related Controls: Nexus SecOps-168, Nexus SecOps-174, Nexus SecOps-175, Nexus SecOps-177 Typical Inherent Likelihood: 3 | Impact: 3 | Score: 9 (Medium) Common Treatment: Model drift monitoring, re-training triggers, manual override capability
Risk ID: RISK-005 Risk Title: Compliance Gap — Log Retention Below Regulatory Requirement
Risk Description: Due to storage cost controls, log retention is set to 90 days, below the 12-month requirement for PCI DSS and the 6-month requirement for the organization's GDPR legitimate interest documentation, creating regulatory exposure during an incident investigation.
Related Controls: Nexus SecOps-004, Nexus SecOps-029, Nexus SecOps-212 Typical Inherent Likelihood: 2 | Impact: 4 | Score: 8 (Medium) Common Treatment: Tiered retention (hot/warm/cold storage), compress older logs to reduce cost
Risk ID: RISK-006 Risk Title: LLM Prompt Injection via Malicious Log Content
Risk Description: Due to insufficient input sanitization for the SOC LLM copilot (Nexus SecOps-182), an attacker could embed prompt injection instructions in a phishing email or malware log entry, causing the LLM to provide misleading analysis to the analyst (e.g., "this email is safe to open").
Related Controls: Nexus SecOps-182, Nexus SecOps-183, Nexus SecOps-192 Typical Inherent Likelihood: 2 | Impact: 3 | Score: 6 (Medium) Common Treatment: Instruction separation, input sanitization, output anomaly detection
Risk Register Summary View¶
| Risk ID | Title | Category | Inherent Score | Residual Score | Rating | Owner | Next Review |
|---|---|---|---|---|---|---|---|
| RISK-001 | Cloud Identity Detection Gap | Detection gap | |||||
| RISK-002 | Staff Dependency — Detection Domain | Staff dependency | |||||
| RISK-003 | SIEM Single Point of Failure | Tool availability | |||||
| RISK-004 | AI Model Drift | AI/ML model failure | |||||
| RISK-005 | Log Retention Compliance Gap | Compliance gap | |||||
| RISK-006 | LLM Prompt Injection | Process gap | |||||
See Findings Template for full assessment finding documentation. See Nexus SecOps Scoring for control-level scoring guidance.