The Right Tool For Each Job
When security risk assessments start to get too complex or time consuming, it is usually because the wrong tool is being applied to the job. As security risk professionals, we need a range of tools to suit the size of the task at hand. Here are a few examples in increasing level of complexity.
TAKE 2 - Simply take 2 minutes to think before undertaking a potentially risky behavior, such as walking down a dark alleyway or pressing ’Send’ on that email
STEP BACK 5 x 5 - Physically or mentally step back 5 meters and take 5 minutes to discuss what could go wrong with, for example, this server patch upload, or business trip.
JOB HAZARD ANALYSIS (JHA) - are a structured one-page analysis tool, which breaks down the activity into a series of steps and considers the risks and potential mitigations involved in each individual task or activity.
PROJECT RISK PLAN - involves more complex risk modeling, such as, MonteCarlo simulations and formal risk registers.
DETAILED RISK ASSESSMENT - refers to a formal documented process of developing a risk register and risk treatment plan (e.g. as per ISO31000)
COMPLEX RISK ASSESSMENTS - are resource-intensive and only warranted for significant high risk activities and or enterprise-level security risk assessments.