I just completed a full cybersecurity risk assessment for a fictional retail client — and it was one of the most practical exercises I’ve done as a postgrad student.
The scenario: RetailNova Pty Ltd. $450M in revenue, 85 stores, 1,200 staff, a custom e-commerce platform, and three confirmed security incidents in three consecutive years.
My job was to act as the assessor.
I identified 6 material risks — phishing-induced credential compromise, ransomware, third-party vendor breaches, e-commerce application vulnerabilities, insider threat, and AWS cloud misconfiguration — and rated each using a 5×5 likelihood/consequence matrix across inherent and residual risk.
What I found most valuable wasn’t the risk ratings themselves. It was having to justify every score. Why is this Likely and not Possible? What controls actually exist vs. what’s assumed? Would this trigger NDB scheme notification obligations?
The process forced me to think like a practitioner, not a student.
The final deliverable was a full risk report: threat and vulnerability identification, detailed risk blocks, a prioritised 15-action remediation roadmap, and a regulatory context section covering the Privacy Act, ASD Essential Eight, and PCI DSS.
If you’re breaking into blue team / GRC roles, I’d genuinely recommend building projects like this. The ability to communicate risk to a business audience is just as important as knowing the technical controls.