top of page
WELCOME
The Security Risk Management Aide-Memoire (SRMAM) is a short book based on the Security Risk Management Body of Knowledge (SRMBOK) with additional material, new research, and changes to reflect the 2018 ISO31000 Risk Management Standard update. You can read most of the chapters in the blog articles below, plus new material that will form the basis for a second edition in the coming years.
Search
jt
May 4, 20201 min read
What is the Analysis of Competing Hypotheses?
Analysis of competing hypotheses¹ (ACH) is a process whereby you identify a set of hypotheses, systematically evaluate data that is...
8,411 views0 comments
jt
Apr 27, 20202 min read
Are Existing Security Management Systems Good Enough?
Adequacy of Existing Controls The ‘adequacy’ score is intended to provide an insight into the operational effectiveness of existing...
1,309 views0 comments
jt
Apr 20, 20202 min read
What is the Admiralty Scale?
The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation,...
10,701 views0 comments
jt
Apr 13, 20202 min read
What Is Enterprise and Security Risk Management?
Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities related...
96 views0 comments
jt
Mar 30, 20201 min read
What Is the ISO31000 Process?
ISO31000 Process The key stages of the security risk management process (as per ISO31000:2018) are: Scope, Context, and Criteria Risk...
314 views0 comments
jt
Mar 16, 20202 min read
How Do Intent and Capability Relate to Assessing Threat?
Intent & Capability Threat can be evaluated as a combination of Intent & Capability. Intent and Capability both comprise other elements...
5,414 views0 comments
Julian Talbot
Mar 9, 20201 min read
What are Threat Acts and Threat Tolerance?
Threat tolerance can be a very subjective thing but there are some ways to make it more consistent.
92 views0 comments
Julian Talbot
Mar 2, 20201 min read
What Are Threat Actors?
A threat actor is a participant in an action or process. But what is the difference between a hazard and a threat?
94 views0 comments
jt
Feb 24, 20201 min read
How to Compile a Security Risk Assessment?
SRA and ISO31000 There are many ways to conduct a Security Risk Assessment (SRA). The graphics below are adapted from ISO31000:2018 Risk...
171 views0 comments
Julian Talbot
Feb 17, 20201 min read
How Should We Treat Risks? The Hierarchy of Controls
The hierarchy of controls is based on the concept that not all risk treatments are equally effective. For example a handrail at the top...
230 views0 comments
Julian Talbot
Feb 10, 20201 min read
What are Risk Criteria, Scope and Risk Tolerance?
How to set risk criteria, scope and tolerances without all the jargon.
4,657 views0 comments
Julian Talbot
Feb 3, 20201 min read
How Can We Use Context to Inform Risk Management?
What to include when setting the context for a risk assessment.
62 views0 comments
jt
Jan 27, 20202 min read
How to Write a Risk Statement
Elements of a Risk Statement It may be helpful to build lists of assets that could be affected. These are potential Sources, Events,...
577 views0 comments
jt
Jan 20, 20201 min read
Swiss Cheese Risk Visualization
Swiss-Cheese is a concept that for an event to occur, a number of ‘holes’ have to align in the barriers that are in place.¹ ¹ Reason,...
218 views0 comments
Julian Talbot
Jan 13, 20201 min read
Strategies for Identifying Risks
Techniques for identifying risks include: Incident Report Analysis Documentation Reviews Brainstorming Delphi Technique Red Teaming...
98 views0 comments
Julian Talbot
Jan 6, 20201 min read
Categorizing Assets for Risk Management
Resources and assets can be categorized and defined to suit the organization’s requirements. Asset Groups Employees & Contractors...
57 views0 comments
Julian Talbot
Dec 30, 20191 min read
What Is the Root Cause of the Risk?
Root cause analysis is core to managing risk.
1,388 views0 comments
Julian Talbot
Dec 23, 20191 min read
P2R2 - Prevent, Prepare, Respond and Recover
P2R2 stands for Prevent, Prepare, Respond, and Recover.
44 views1 comment
Julian Talbot
Dec 16, 20191 min read
How Do We Analyze and Describe Risk?
Many pages of the book and this website are dedicated to risk analysis but, at an introductory level, for the moment, lets just say that...
43 views0 comments
Julian Talbot
Nov 22, 20194 min read
Security Risk Assessment in a nutshell
A framework to integrate the various models for security risk assessment into a single diagram. From ISO31000 to CARVER they are all here.
793 views0 comments
bottom of page