Techniques for identifying risks include:
Incident Report Analysis
Documentation Reviews
Brainstorming
Delphi Technique
Red Teaming
Intelligence Reports
Threat Assessments
Interviews
Root Cause Analysis
Swot Analysis (Strengths, Weaknesses,Opportunities And Threats)
Checklist Analysis (eg: PESTLE, SERCL, Audit Instruments)
Assumption Analysis
Work Breakdown Structure
Security Events - SERCL
Security events are not the ideal way to discover and document your ‘unknown-unknowns’. Tools such as ‘SERCL’ can be a useful mnemonic for identifying risks in advance.
Source(s): Relevant source(s) of risk?
Event: The single key event that might be evident if this threat occurs.
Resource(s): Resources or assets likely to be targeted or impacted.
Consequence(s): Likely effect onResources and/or Objectives.
Likelihood: The probability that the event will occur.It may be useful in many circumstances to consider them in the following order:
Resources/Assets at risk
Sources of risk
Events which might occur
Likelihood of attack / event
Consequences (effect on objectives)
Not all sources of risk will involve every resource or risk event, e.g. hackers are unlikely to steal a building; but developing a list for each of S, E, & R then adding likely consequences is a good start. The following graphic highlights how the five elements of SERCL fit within theISO31000 Process.

Comments