Strategies for Identifying Risks

Techniques for identifying risks include:


  • Incident Report Analysis

  • Documentation Reviews

  • Brainstorming

  • Delphi Technique

  • Red Teaming

  • Intelligence Reports

  • Threat Assessments

  • Interviews

  • Root Cause Analysis

  • Swot Analysis (Strengths, Weaknesses,Opportunities And Threats)

  • Checklist Analysis (eg: PESTLE, SERCL, Audit Instruments)

  • Assumption Analysis

  • Work Breakdown Structure

Security Events - SERCL


Security events are not the ideal way to discover and document your ‘unknown-unknowns’. Tools such as ‘SERCL’ can be a useful mnemonic for identifying risks in advance.


  • Source(s): Relevant source(s) of risk?

  • Event: The single key event that might be evident if this threat occurs.

  • Resource(s): Resources or assets likely to be targeted or impacted.

  • Consequence(s): Likely effect onResources and/or Objectives.

  • Likelihood: The probability that the event will occur.It may be useful in many circumstances to consider them in the following order:

  1. Resources/Assets at risk

  2. Sources of risk

  3. Events which might occur

  4. Likelihood of attack / event

  5. Consequences (effect on objectives)

Not all sources of risk will involve every resource or risk event, e.g. hackers are unlikely to steal a building; but developing a list for each of S, E, & R then adding likely consequences is a good start. The following graphic highlights how the five elements of SERCL fit within theISO31000 Process.




©2019 by Julian Talbot