**3.2 Automating risk assessments**

Risk assessment automation has been proposed in the form of automated penetration testing frameworks [9–11, 13–19]. Testing frameworks and automated tools are extremely useful for detecting known bugs and vulnerabilities. However, in general, these tools do not report on the larger risk-assessment picture. Specifically, they may not accurately report on legal requirements or help an organization prepare for prospective data-breach-associated costs. In addition, there is limited (if any) language standardization on risk findings to enable intra- and inter-organizational risk communication, which is essential for subsequent auditing and legal ramifications.
