What is a Risk Assessment Matrix, is a management tool intended to help security teams prioritize threat hunting activities by classifying each threat according to several factors. The result of an assessment, conducted within the context of a Threat Model, can be used as input into the risk decision-making process, e.g., whether or not to investigate further or implement controls against an identified threat.
A Risk Assessment Matrix is a two-column table. The header row contains the Threat Class to be assessed, and each cell in the body of the table represents a single threat artifact from this class. In order to ensure that artifacts are accurately classified, they should be prioritized using an iterative process that requires collaboration between development teams and security teams.
The Threat Class row of the Risk Assessment Matrix is populated by identifying each threat artifact from a given class and capturing its name, description, and change in risk level (e.g., increased risk). The body of the table integrates information about these artifacts obtained through collaborative efforts between development teams and security teams.