Purpose of this stage: Before reviewing a single document, a structured set of risk hypotheses was formed based on LiStDan Finance’s business model, data landscape, and industry threat profile.
The Hypothesis stage is what separates a structured assessment from a checklist exercise. It forces the assessor to consider where risk is most likely concentrated before examining any control. This means the Inspect stage is more focused and more accurate.
Three primary risk hypotheses were formed before assessment work began:
Hypothesis 1 — IAM and Access Control Gaps
Azure-hosted fintech environments at this scale consistently carry IAM misconfigurations, incomplete MFA enforcement, and over-privileged service accounts. This was expected to be a HIGH-rated finding area.
Hypothesis 2 — GDPR Documentation Absence
A company processing personal data for 100,000 users across ten data types, including biometric KYC records, at an early maturity stage was expected to have materially underdocumented GDPR obligations — no Privacy Notice, no lawful basis register, no DPAs, and no DPIAs.
Hypothesis 3 — Incident Response Immaturity
At 100 employees with no dedicated security function confirmed at scoping, incident response posture was expected to be early-stage or entirely undocumented.
All three hypotheses were confirmed by the Inspect stage findings.
| Detail | |
|---|---|
| Inputs | Scope document, business context, industry threat intelligence |
| Output | Structured risk hypothesis log (internal reference for Inspect stage) |
| Field | Detail |
| --- | --- |
| Stage Status | Complete |
| SHIELD Stage | H — Hypothesis |