Risk assessments are the starting point of your application security program and as it turns out your Cyber Resilience Act compliance strategy. If you think about it, it makes absolute sense. If there is no risk, you don't really need security. Unfortunately, that's not the world we are living in and creating a crystal clear understanding of the risk profile for each of your products is essential.Risk has two components to it. It has a more "businessy" component that is related to loss magnitude or impact. This is the component that needs to be dictated by the business.The second risk component is more technical, namely threat event frequency.The combination of the two factors is what we typically think of risk. However it is critical to stress that the first "business"-side of risk is much easier to come up with. It is also relatively limited. It is also the first one in terms of a sequence. This is also precisely what CRA suggests, you need to start with clearly defining the context of your product, its risk and risk acceptance criteria.The second factor, i.e., the actual threats, is virtually unlimited. Once again you need the business side of the story to come up with meaningful threats.In this second episode of our CRA series podcast we dive deep into the risk assessment and threat modeling concepts in the context of the upcoming EU Cyber Resilience Act.