jt7 days ago1 minHow to Structure a Security BriefingSecurity Briefings The five paragraph order technique, also known as SMEAC, is a technique used by many military agencies to deliver a te...
jtJun 291 minWhat is Expected Monetary Value?While it is difficult to precisely quantify all loss events, even after they occur (e.g. the event’s impact on your brand), many risks ca...
jtJun 221 minWhere to Start with Risk Analysis? InputsInputs to aid risk analysis can include the elements listed below. Note: The grouping (input, process, output, feedback) is purely themat...
jtJun 151 minHow Should You Structure Likelihood and Consequence Tables?There is no single correct way to express likelihood or consequence tables. Each organization needs to consider their context and develop...
jtJun 83 minProbability and Modelling Risk ExpectancyProbability of an Event One of the challenges with Security Risk Assessment is the analysis of rare but catastrophic events. Events for w...
jtJun 11 minWhat is the Stroud Matrix?The objective of this tool is to aid discussion and provide an initial categorization of risks into four groups: BUSINESS AS USUAL (BAU):...
Julian TalbotMay 253 minWhat are Risk Matrices, and Should I Use Them?Risk matrices are commonly used in many risk management practices. There are a number of issues with risk matrices and overall, I would d...
jtMay 182 minHow Do You Estimate Risk?Risk is an abstract concept and humans are notoriously bad at predicting it.¹ A 1%chance of an event occurring does not mean that it won’...
jtMay 112 minHow Can We Effectively Use Our Risk Management Findings and Recommendations?When conducting a security risk assessment, it is important to document some of the key findings as evidence to support the risk register...
jtMay 41 minWhat is the Analysis of Competing Hypotheses?Analysis of competing hypotheses¹ (ACH) is a process whereby you identify a set of hypotheses, systematically evaluate data that is consi...
jtApr 272 minAre Existing Security Management Systems Good Enough?Adequacy of Existing Controls The ‘adequacy’ score is intended to provide an insight into the operational effectiveness of existing syste...
jtApr 201 minWhat is the Admiralty Scale?The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, ...
jtApr 132 minWhat Is Enterprise and Security Risk Management?Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities related ...
jtMar 301 minWhat Is the ISO31000 Process?ISO31000 Process The key stages of the security risk management process (as per ISO31000:2018) are: Scope, Context, and Criteria Risk Ass...
jtMar 162 minHow Do Intent and Capability Relate to Assessing Threat?Intent & Capability Threat can be evaluated as a combination of Intent & Capability. Intent and Capability both comprise other elements a...
Julian TalbotMar 91 minWhat are Threat Acts and Threat Tolerance?Threat tolerance can be a very subjective thing but there are some ways to make it more consistent.
Julian TalbotMar 21 minWhat Are Threat Actors?A threat actor is a participant in an action or process. But what is the difference between a hazard and a threat?
jtFeb 241 minHow to Compile a Security Risk Assessment?SRA and ISO31000 There are many ways to conduct a Security Risk Assessment (SRA). The graphics below are adapted from ISO31000:2018 Risk ...
Julian TalbotFeb 171 minHow Should We Treat Risks? The Hierarchy of ControlsThe hierarchy of controls is based on the concept that not all risk treatments are equally effective. For example a handrail at the top o...
Julian TalbotFeb 101 minWhat are Risk Criteria, Scope and Risk Tolerance?How to set risk criteria, scope and tolerances without all the jargon.
