top of page
WELCOME
The Security Risk Management Aide-Memoire (SRMAM) is a short book based on the Security Risk Management Body of Knowledge (SRMBOK) with additional material, new research, and changes to reflect the 2018 ISO31000 Risk Management Standard update. You can read most of the chapters in the blog articles below, plus new material that will form the basis for a second edition in the coming years.
Search
What is the Analysis of Competing Hypotheses?
Analysis of competing hypotheses¹ (ACH) is a process whereby you identify a set of hypotheses, systematically evaluate data that is...
jt
May 4, 20201 min read
Are Existing Security Management Systems Good Enough?
Adequacy of Existing Controls The ‘adequacy’ score is intended to provide an insight into the operational effectiveness of existing...
jt
Apr 27, 20202 min read
What is the Admiralty Scale?
The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation,...
jt
Apr 20, 20202 min read
What Is Enterprise and Security Risk Management?
Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities related...
jt
Apr 13, 20202 min read
What Is the ISO31000 Process?
ISO31000 Process The key stages of the security risk management process (as per ISO31000:2018) are: Scope, Context, and Criteria Risk...
jt
Mar 30, 20201 min read
How Do Intent and Capability Relate to Assessing Threat?
Intent & Capability Threat can be evaluated as a combination of Intent & Capability. Intent and Capability both comprise other elements...
jt
Mar 16, 20202 min read
What are Threat Acts and Threat Tolerance?
Threat tolerance can be a very subjective thing but there are some ways to make it more consistent.
Julian Talbot
Mar 9, 20201 min read
What Are Threat Actors?
A threat actor is a participant in an action or process. But what is the difference between a hazard and a threat?
Julian Talbot
Mar 2, 20201 min read
How to Compile a Security Risk Assessment?
SRA and ISO31000 There are many ways to conduct a Security Risk Assessment (SRA). The graphics below are adapted from ISO31000:2018 Risk...
jt
Feb 24, 20201 min read
How Should We Treat Risks? The Hierarchy of Controls
The hierarchy of controls is based on the concept that not all risk treatments are equally effective. For example a handrail at the top...
Julian Talbot
Feb 17, 20201 min read
What are Risk Criteria, Scope and Risk Tolerance?
How to set risk criteria, scope and tolerances without all the jargon.
Julian Talbot
Feb 10, 20201 min read
How Can We Use Context to Inform Risk Management?
What to include when setting the context for a risk assessment.
Julian Talbot
Feb 3, 20201 min read
How to Write a Risk Statement
Elements of a Risk Statement It may be helpful to build lists of assets that could be affected. These are potential Sources, Events,...
jt
Jan 27, 20202 min read
Swiss Cheese Risk Visualization
Swiss-Cheese is a concept that for an event to occur, a number of ‘holes’ have to align in the barriers that are in place.¹ ¹ Reason,...
jt
Jan 20, 20201 min read
Strategies for Identifying Risks
Techniques for identifying risks include: Incident Report Analysis Documentation Reviews Brainstorming Delphi Technique Red Teaming...
Julian Talbot
Jan 13, 20201 min read
Categorizing Assets for Risk Management
Resources and assets can be categorized and defined to suit the organization’s requirements. Asset Groups Employees & Contractors...
Julian Talbot
Jan 6, 20201 min read
What Is the Root Cause of the Risk?
Root cause analysis is core to managing risk.
Julian Talbot
Dec 30, 20191 min read
P2R2 - Prevent, Prepare, Respond and Recover
P2R2 stands for Prevent, Prepare, Respond, and Recover.
Julian Talbot
Dec 23, 20191 min read
How Do We Analyze and Describe Risk?
Many pages of the book and this website are dedicated to risk analysis but, at an introductory level, for the moment, lets just say that...
Julian Talbot
Dec 16, 20191 min read
Security Risk Assessment in a nutshell
A framework to integrate the various models for security risk assessment into a single diagram. From ISO31000 to CARVER they are all here.
Julian Talbot
Nov 22, 20194 min read
bottom of page