top of page
WELCOME
The Security Risk Management Aide-Memoire (SRMAM) is a short book based on the Security Risk Management Body of Knowledge (SRMBOK) with additional material, new research, and changes to reflect the 2018 ISO31000 Risk Management Standard update. You can read most of the chapters in the blog articles below, plus new material that will form the basis for a second edition in the coming years.
Search
Business Impact Levels
Business impact levels (BILs) measure the potential impact a disruption or loss of a particular business function or asset would have on...
Julian Talbot
Mar 7, 20232 min read
When to use a Risk Matrix
Risk matrices can be used effectively based on thorough hazard/threat assessments and asset analyses. These inputs can provide...
Julian Talbot
Feb 7, 20232 min read
Finding software for risk management
One of the things that I do is build software. These days, I'm more of an end user, and for the past few years, I've been a bit selfish...
Julian Talbot
Jan 25, 20235 min read
Choosing a Risk Assessment Tool
For most of us, Microsoft Excel has been the default starting point for risk assessment tools. There is, however, an ever-increasing...
Julian Talbot
Jan 10, 20232 min read
Security Risk Management Models
Some key models that can be helpful for security risk assessment and management, depending on the context, include the following. The...
Julian Talbot
Dec 19, 20222 min read
Three-Point Estimation
Three-point estimation is one way to calculate a realistic estimation using a best-case estimate, worst-case estimate, and most...
jt
Sep 7, 20221 min read
Risk management culture
Culture is the set of encouraged and acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk within a...
Julian Talbot
Jul 26, 20222 min read
11 x 11 Risk Matrix
The following matrix shows an example of how three different risks are plotted on a matrix to reflect those risks' uncertainty. For...
jt
Jul 6, 20222 min read
Risk Calculations
P90, P50, P10 Another approach to using multiple point estimation involves using probabilities which do not add up to 100%. We might for...
jt
Jun 28, 20221 min read
How to change culture
One school of thought says it takes five years to change an organisation's culture. Another view says you can do it over a weekend. Yet...
Julian Talbot
Jun 18, 20221 min read
Three Types of Risk
Risk management comes in many forms, but one approach, which I call the 3As, looks at three different risk management styles: Actuarial -...
Julian Talbot
May 16, 20223 min read
How Do You Assess the Quality of Your Security Risk Management?
One element often missing or inadequate is ensuring and assessing the effectiveness of security risk management and security assessments....
jt
Feb 11, 20212 min read
SRA Methodology
This methodology has minor adaptations from ‘FIGURE 11.3 Expansion of AS/NZS 4360:2004 Risk Management Process for Security Risk...
jt
Nov 9, 20201 min read
The SRMBOK Framework
The following Framework graphics have been adapted from the SRMBOK organizational resilience model in SRMBOK (FIGURE 11.2). The main...
jt
Nov 2, 20201 min read
Other Security Frameworks
Security Frameworks The following is a partial list of sources for security-related frameworks. Their presence here is not an...
jt
Oct 26, 20201 min read
Security Risk Assessment Definitions
These definitions are not comprehensive. Please consider them simply as brief clarifications to indicate their use in this blog. Unless...
jt
Oct 19, 20202 min read
A Vulnerability Analysis Framework
Vulnerability Analysis A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the...
Julian Talbot
Oct 12, 20201 min read
Threat Assessment Tools
Attacker Perspective When considering how various attackers might view your organization, it may be helpful to plot them on a matrix like...
jt
Oct 5, 20202 min read
The Risk Management Continuum
When risk assessments get too complex or time-consuming, it is usually because the wrong tool is being applied to the job. As security...
jt
Sep 28, 20201 min read
Case Study: Australian Risk Management Capability Maturity Model
Another risk maturity model worth considering is the Australian Government Commonwealth Risk Management Capability Maturity Model.¹ This...
jt
Sep 21, 20201 min read
bottom of page