Strategies for Identifying Risks

Techniques for identifying risks include:


  • Incident Report Analysis

  • Documentation Reviews

  • Brainstorming

  • Delphi Technique

  • Red Teaming

  • Intelligence Reports

  • Threat Assessments

  • Interviews

  • Root Cause Analysis

  • Swot Analysis (Strengths, Weaknesses,Opportunities And Threats)

  • Checklist Analysis (eg: PESTLE, SERCL, Audit Instruments)

  • Assumption Analysis

  • Work Breakdown Structure

Security Events - SERCL


Security events are not the ideal way to discover and document your ‘unknown-unknowns’. Tools such as ‘SERCL’ can be a useful mnemonic for identifying risks in advance.


  • Source(s): Relevant source(s) of risk?

  • Event: The single key event that might be evident if this threat occurs.

  • Resource(s): Resources or assets likely to be targeted or impacted.

  • Consequence(s): Likely effect onResources and/or Objectives.

  • Likelihood: The probability that the event will occur.It may be useful in many circumstances to consider them in the following order:

  1. Resources/Assets at risk

  2. Sources of risk

  3. Events which might occur

  4. Likelihood of attack / event

  5. Consequences (effect on objectives)

Not all sources of risk will involve every resource or risk event, e.g. hackers are unlikely to steal a building; but developing a list for each of S, E, & R then adding likely consequences is a good start. The following graphic highlights how the five elements of SERCL fit within theISO31000 Process.




40 views0 comments

Recent Posts

See All

Other Security Frameworks

Security Frameworks The following is a partial list of sources for security-related frameworks. Their presence here is not an endorsement, just a resource if you are looking for more references. I hav

©2019 by Julian Talbot