A persistent gap between security standards and their practical implementation often introduces compliance risks, while existing assessment methods suffer from subjectivity and poor cross-organizational consistency. To address this, we propose a novel hybrid risk assessment framework: first, standardized compliance analysis identifies regulatory gaps; second, an expert-independent probabilistic model enables objective, quantitative risk evaluation; third, integration of CVE vulnerability data validates the framework in real-world telecommunications scenarios. Our approach significantly improves risk quantification accuracy and reproducibility, supports organization-specific risk management customization, and demonstrates strong generalizability across multiple regulated industries. Experimental results confirm enhanced reliability and scalability compared to conventional qualitative or expert-driven methodologies.

Gaps between established security standards and their practical implementation have the potential to introduce vulnerabilities, possibly exposing them to security risks. To effectively address and mitigate these security and compliance challenges, security risk management strategies are essential. However, it must adhere to well-established strategies and industry standards to ensure consistency, reliability, and compatibility both within and across organizations. In this paper, we introduce a new hybrid risk assessment framework called TELSAFE, which employs probabilistic modeling for quantitative risk assessment and eliminates the influence of expert opinion bias. The framework encompasses both qualitative and quantitative assessment phases, facilitating effective risk management strategies tailored to the unique requirements of organizations. A specific use case utilizing Common Vulnerabilities and Exposures (CVE)-related data demonstrates the framework's applicability and implementation in real-world scenarios, such as in the telecommunications industry.