Need help? We are here

Assessing risk begins with baselining, establishing a current state to get to the desired state.
Progress is measured by meeting milestones and objectives, i.e. a maturing process.
For example,
the capability maturity model has the following framework:
Initial – informal
Documented Strategy & Principles – formalizing
Adaptive Security Architecture – well defined
Security Organization & Roadmap – optimized
Baseline Security Standards – quantitatively controlled
Give examples of risk at the level of these categories and how each level mitigates risks from the previous level?