Risk Assessment Methodology

How we identify, assess, and treat information security risks

Public

Purpose

This methodology defines how Maelstrom AI identifies, assesses, prioritises, and treats information security risks for the Provii platform. It supports consistent risk management across our organisation and alignment with ISO 27001:2022 requirements.

Risk Management Framework

We follow a risk-based approach to security, focusing resources where they provide the most protection for our zero knowledge age verification service.

graph TD
    A[Identify Assets & Threats] --> B[Assess Risks]
    B --> C[Prioritize Risks]
    C --> D[Select Treatment]
    D --> E[Implement Controls]
    E --> F[Monitor & Review]
    F --> A

Risk Assessment Frequency

Regular Assessments: Annually (Q1 of each year)

Triggered Assessments when:

  • Launching new services or major features
  • Significant infrastructure changes (new cloud provider, architecture redesign)
  • After security incidents
  • Changes to threat surface (new attack vectors, vulnerabilities)
  • Changes to legal/regulatory requirements
  • Prior to ISO 27001 certification audits

Ongoing Monitoring: Continuous monitoring of key risk indicators

Step 1: Asset Identification

Asset Categories

We classify information assets into categories:

Critical importance - Compromise destroys trust in the entire system

  • Signing keys (RedJubjub keys for credential issuance)
  • Verification keys (public keys for proof verification)
  • Proving/verification parameters (Groth16 circuit parameters)
  • HMAC secrets (API authentication)
  • API keys and tokens

High importance - Core business value and competitive advantage

  • provii-crypto source code (ZKP implementations)
  • provii-verifier, provii-issuer code
  • SDK code (provii-agegate, provii-mobile-sdk)
  • Architectural designs and specifications
  • Cryptographic protocol documentation

High importance - Essential for service availability

  • Cloudflare Workers and KV namespaces
  • Durable Objects for state management
  • GitHub repositories and CI/CD pipelines
  • Static site infrastructure (Cloudflare Workers Assets)
  • Developer workstations

Medium importance - Limited sensitivity due to zero knowledge architecture

  • Audit logs (security events, access logs, IP addresses, request patterns)
  • Configuration data (KV contents, wrangler.toml settings)
  • Analytics data (service metrics, performance data)
  • Customer support communications

Asset Register

We maintain an Asset Register documenting:

  • Asset identifier and description
  • Asset owner (role)
  • Classification (critical, high, medium, low)
  • Location (Cloudflare KV, GitHub, etc.)
  • Dependencies on other assets

Step 2: Threat Identification

We consider threats across multiple categories:

External Threats

Cryptographic Attacks
  • Breaking or weakening ZKP proofs
  • Compromising signing keys
  • Side-channel attacks on cryptographic operations
  • Quantum computing threats (future consideration)
  • Protocol implementation flaws
Infrastructure Attacks
  • DDoS attacks on Cloudflare Workers
  • Supply chain compromise (malicious dependencies)
  • Compromise of Cloudflare or GitHub accounts
  • Injection attacks (API, XSS, etc.)
  • Replay attacks on challenges/proofs
Human-Targeted Attacks
  • Phishing targeting team members
  • Social engineering for credential theft
  • Insider threats (malicious or negligent)
  • Account takeover (GitHub, Cloudflare)
Third-Party Risks
  • Cloudflare service disruption
  • GitHub outage or compromise
  • Vulnerabilities in open source dependencies
  • npm registry compromise
  • Certificate authority compromise

Internal Threats

  • Accidental secret exposure in code/logs
  • Configuration errors leading to security gaps
  • Insufficient access controls
  • Lack of security awareness
  • Inadequate change management

Environmental Threats

  • Developer workstation compromise
  • Loss of key personnel (knowledge concentration)
  • Natural disasters affecting cloud infrastructure
  • Internet infrastructure disruption

Step 3: Vulnerability Assessment

For each asset-threat combination, we identify vulnerabilities:

Technical Vulnerabilities:

  • Unpatched dependencies
  • Cryptographic implementation bugs
  • Weak authentication mechanisms
  • Insecure configurations
  • Insufficient logging/monitoring

Process Vulnerabilities:

  • Lack of code review
  • Insufficient testing coverage
  • Weak incident response procedures
  • Inadequate backup processes

Human Vulnerabilities:

  • Insufficient security training
  • Credential management weaknesses
  • Social engineering susceptibility

Step 4: Risk Analysis

Likelihood Assessment

We assess the likelihood of each risk scenario:

LevelDescriptionExamples
Rare (1)Unlikely to occur in normal circumstancesQuantum computer breaking BLS12-381 today
Unlikely (2)Could occur but not expectedMajor Cloudflare datacenter failure
Possible (3)Might occur occasionallySupply chain vulnerability in dependency
Likely (4)Expected to occur in some circumstancesPhishing attempt targeting team
Almost Certain (5)Expected to occur frequentlyAutomated attacks on public APIs

Impact Assessment

We assess business impact if the risk materialises:

LevelDescriptionCriteria
Insignificant (1)Minimal impactBrief service degradation, no data compromise
Minor (2)Limited impactService disruption <1 hour, minimal customer impact
Moderate (3)Noticeable impactService outage 1-4 hours, or minor cryptographic weakness
Major (4)Significant impactService outage >4 hours, or significant security vulnerability
Severe (5)Catastrophic impactComplete service failure, or signing key compromise

Zero knowledge Impact Considerations

Because we don’t store PII, data breach impacts are fundamentally different:

<Check> What We CAN’T Lose:

  • User identity information (during verification, no personal information is collected; during issuance, date of birth is processed ephemerally and immediately discarded)
  • Personally identifiable data (zero knowledge architecture)
  • Age verification history (proofs are ephemeral) </Check>

This significantly simplifies risk assessment compared to traditional identity systems.

Risk Scoring

Risk Score = Likelihood × Impact

Risk LevelScore RangeTreatment Requirement
Low1-4Accept or monitor
Medium5-9Mitigate or accept with compensating controls
High10-15Mitigate with strong controls
Critical16-25Immediate mitigation, cannot accept

Step 5: Risk Treatment

For each identified risk, we select a treatment option:

Treatment Options

Most common: Implement controls to reduce likelihood or impact

Example: Implement SLSA Level 3 supply chain security to mitigate dependency tampering risk

Documentation: Control implementation in Statement of Applicability

When: Risk is below acceptance threshold, or cost of mitigation exceeds benefit

Example: Accept risk of Cloudflare global outage (extremely rare, beyond our control)

Requirements: Documented justification, ISMS Owner approval

When: Eliminate the activity creating the risk

Example: Minimising PII processing through zero knowledge architecture (DOB processed ephemerally during issuance, never persisted)

Note: This is our fundamental approach - we design systems that avoid risks rather than just mitigate them

When: Share risk with third party (insurance, contracts)

Example: Cloudflare’s enterprise SLA transfers some availability risk

Note: Less common for security risks (can’t transfer reputation impact)

Control Selection

When mitigating risks, we select controls based on:

  1. Effectiveness: Does it meaningfully reduce risk?
  2. Cost: Implementation and operational costs
  3. Compliance: ISO 27001 Annex A alignment
  4. Feasibility: Can we implement it with our architecture?
  5. Impact: Does it affect usability or performance?

See Statement of Applicability for selected controls.

Step 6: Risk Treatment Plan

For each risk requiring treatment, we document:

ElementDescription
Risk IDUnique identifier (e.g., RISK-2025-001)
DescriptionWhat could happen
Current Risk ScoreBefore treatment
Treatment OptionMitigate, accept, avoid, or transfer
Selected ControlsSpecific controls to implement
OwnerRole responsible for implementation
TimelineImplementation deadline
Target Risk ScoreAfter treatment
StatusPlanned, in progress, implemented

Step 7: Residual Risk

After implementing controls, we assess residual risk:

Residual Risk = Inherent Risk - Control Effectiveness

Acceptance Criteria:

  • Critical risks: Must be reduced to Medium or Low
  • High risks: Should be reduced to Medium or Low
  • Medium risks: May be accepted if cost of further mitigation is excessive
  • Low risks: Generally accepted

Approval: ISMS Owner must formally accept all residual risks above Low level.

Step 8: Monitoring and Review

Ongoing Monitoring

We continuously monitor:

Key Risk Indicators

  • Failed authentication attempts
  • Rate limit triggers
  • Dependency vulnerability scans
  • Service availability metrics
  • Certificate expiration dates

Control Effectiveness

  • Security test coverage
  • Audit log completeness
  • Incident response time
  • Patch management cadence
  • Training completion rates

Regular Reviews

Quarterly: Review key risk indicators, update risk scores for changing threat surface

Annually: Full risk assessment, review all controls, update risk register

After Incidents: Conduct root cause analysis, update risk assessment, implement lessons learned

Risk Acceptance Criteria

We accept risks when:

  1. Score ≤ 4 (Low)
  2. Cost of mitigation > value protected
  3. Risk is outside our control (e.g., internet infrastructure failure)
  4. Compensating controls reduce risk to acceptable level
  5. Documented and approved by ISMS Owner

We never accept:

  • Risks to cryptographic integrity without strong compensating controls
  • Risks that violate legal/regulatory requirements
  • Risks with severe impact, regardless of likelihood

Documentation

All risk assessments produce:

  1. Risk Register - Living document of all identified risks (view register)
  2. Risk Treatment Plan - Actions to mitigate unacceptable risks
  3. Risk Acceptance Forms - Documented justification for accepted risks
  4. Risk Review Reports - Quarterly and annual reviews

Roles and Responsibilities

RoleResponsibilities
ISMS OwnerApprove risk assessment methodology, accept residual risks, allocate resources
Security LeadConduct risk assessments, monitor risks, propose treatments, track implementation
DeveloperIdentify technical risks, implement controls, report vulnerabilities
All Team MembersReport potential risks and security concerns

Special Considerations

Zero knowledge Architecture

Our risk profile is fundamentally different from traditional systems:

Cloud-Native Risks

Operating entirely on Cloudflare/GitHub:

Advantages:

  • No physical security concerns
  • Enterprise-grade DDoS protection
  • Automatic scaling and resilience

Challenges:

  • Dependency on third-party availability
  • Limited control over infrastructure
  • Account security is critical

Supply Chain Focus

Given our SLSA Level 3 commitment, supply chain risks receive extra scrutiny:

  • Dependency vulnerability scanning in every build
  • Hermetic builds prevent tampering
  • Artefact signing supports integrity
  • Transparency logs enable auditing

Document Information

  • Version. 1.1
  • Effective Date. 2025-01-13
  • Last Updated. 2026-05-21
  • Owner. ISMS Owner
  • Maintained By. Security Lead
  • Review Frequency. Annually
  • Next Review. 2026-11-21
  • Classification. Public