Building an AI-Powered Cybersecurity Risk Matrix: From Logs to Actionable Risk Scores
Introduction
Risk matrices are foundational to cybersecurity—helping organizations assess and prioritize threats based on likelihood and impact. But what if we could take that a step further? What if a system could analyze raw security logs, evaluate key attributes of an event, and automatically score risk without needing human triage every time?
In this blog, we’ll build a lightweight simulation of an AI-powered risk matrix engine, using basic Python and rule-based logic (you could extend it with machine learning later). This project is perfect for cybersecurity students, professionals, and educators wanting to make risk management concepts more tangible.
Why Combine AI and Risk Matrices?
While traditional risk matrices work well in static planning, today’s environments are dynamic—logs are constantly generated, and risks shift rapidly. AI (or rule-based decision logic as a starting point) can:
- Reduce alert fatigue by scoring only high-risk events
- Standardize how risks are interpreted
- Accelerate incident response decision-making
What We’ll Build
A prototype that:
- Parses a simple log input (e.g., from Wazuh or Splunk export)
- Extracts metadata like asset type, event severity, source IP, etc.
- Evaluates likelihood and impact using defined rules
- Scores each log event and maps it to a 5x5 color-coded risk matrix
Step 1: Understand the Risk Matrix
Here’s an example of a standard 5x5 risk matrix:
| Likelihood → / Impact ↓ | Very Low | Low | Moderate | High | Critical |
|---|---|---|---|---|---|
| Rare | Green | Green | Yellow | Yellow | Orange |
| Unlikely | Green | Yellow | Yellow | Orange | Red |
| Possible | Yellow | Yellow | Orange | Red | Red |
| Likely | Yellow | Orange | Red | Red | Red |
| Certain | Orange | Red | Red | Red | Red |
We’ll use logic to define how AI logic maps events into this grid.
Step 2: Define Our Inputs
We’ll simulate log inputs using a JSON format:
{
"event_id": "auth-fail-445",
"severity": "high",
"asset_type": "server",
"asset_value": "critical",
"source_ip": "203.0.113.24",
"location": "external",
"timestamp": "2025-03-18T12:43:55Z",
"event_type": "failed_login",
"attempts": 15
}
Step 3: Build the Logic (Python Example)
We’ll simulate an “AI decision engine” using rules based on the log’s content.
# Define scoring logic
LIKELIHOOD_MAP = {
'attempts': [(1, 'Rare'), (5, 'Unlikely'), (10, 'Possible'), (20, 'Likely'), (float('inf'), 'Certain')]
}
IMPACT_MAP = {
('server', 'critical'): 'Critical',
('workstation', 'medium'): 'Moderate',
('printer', 'low'): 'Low',
('db', 'critical'): 'High'
}
def evaluate_likelihood(attempts):
for threshold, rating in LIKELIHOOD_MAP['attempts']:
if attempts <= threshold:
return rating
def evaluate_impact(asset_type, asset_value):
return IMPACT_MAP.get((asset_type, asset_value), 'Low')
# Risk matrix scores
RISK_MATRIX = {
('Rare', 'Low'): 'Green',
('Possible', 'Critical'): 'Red',
('Likely', 'High'): 'Red',
('Certain', 'Moderate'): 'Red',
('Unlikely', 'Moderate'): 'Yellow',
# Add more entries based on your full matrix
}
# Example log
log = {
"attempts": 15,
"asset_type": "server",
"asset_value": "critical"
}
likelihood = evaluate_likelihood(log['attempts'])
impact = evaluate_impact(log['asset_type'], log['asset_value'])
risk = RISK_MATRIX.get((likelihood, impact), 'Yellow')
print(f"Likelihood: {likelihood}, Impact: {impact}, Risk Score: {risk}")
Step 4: Interpret the Results
In this example, 15 failed login attempts on a critical server triggers:
- Likelihood: Likely
- Impact: Critical
- Risk Score: Red (Severe)
This would signal an urgent need for review, alert escalation, and potential IP blocking or incident containment.
Step 5: Expand the Use Case
- Pull real logs from Wazuh, Splunk, or Syslog
- Add natural language summaries using ChatGPT API (“This event is classified as Likely/Critical. Immediate review is advised.”)
- Add a timestamp and group risk by hour/day to visualize patterns
- Extend with a Streamlit or Flask UI to drag in log files and generate a risk dashboard
Why This Matters
This project helps:
- Reinforce understanding of risk management principles
- Demonstrate how AI and automation can reduce time-to-triage
- Provide students and teams with a customizable framework for risk classification
Educational Extensions
- Instructors: turn this into a group project for evaluating system events
- Students: adapt this tool to monitor a home lab and report top 3 risks each day
- Professionals: integrate the logic into existing alerting pipelines
Conclusion
The AI doesn’t need to be complex to be powerful. Even rule-based decision logic can make a real difference in streamlining security risk management. By turning logs into actionable risk insights, you build not only a useful tool—but also your own critical thinking as a cybersecurity professional.