When risk assessments get too complex or time-consuming, it is usually because the wrong tool is being applied to the job. As security risk professionals, we need a range of tools to suit the size of the task at hand.
Here are a few examples of what that might look like when increasing the level of complexity.
TAKE 2 - Simply take 2 minutes to think before undertaking a potentially risky behavior, such as walking down a dark alleyway or pressing ’Send’ on that email
STEP BACK 5 x 5 - Physically or mentally, step back 5 meters and take 5 minutes to discuss what could go wrong with, for example, this server patch upload or business trip.
JOB HAZARD ANALYSIS (JHA) - a structured one-page analysis tool that breaks down the activity into a series of steps and considers the risks and potential mitigations involved in each task or activity.
PROJECT RISK PLAN - involves more complex risk modeling, such as Monte Carlo simulations and formal risk registers.
DETAILED RISK ASSESSMENT - refers to a formal documented process of developing a risk register and risk treatment plan (e.g., as per ISO31000)
COMPLEX RISK ASSESSMENTS - are resource-intensive and only warranted for significant high-risk activities and enterprise risk assessments.