WELCOME

The Security Risk Management Aide-Memoire (SRMAM) is a short book based on the Security Risk Management Body of Knowledge (SRMBOK) with additional material, new research, and changes to reflect the 2018 ISO31000 Risk Management Standard update. You can read most of the chapters in the blog articles below, plus new material that will form the basis for a second edition in the coming years.

I'd like a copy

Search

jt

Jul 6, 20201 min read

How to Structure a Security Briefing

Security Briefings The five paragraph order technique, also known as SMEAC, is a technique used by many military agencies to deliver a...

5,534 views0 comments

jt

Jun 29, 20201 min read

What is Expected Monetary Value?

While it is difficult to precisely quantify all loss events, even after they occur (e.g. the event’s impact on your brand), many risks...

155 views0 comments

jt

Jun 22, 20201 min read

Where to Start with Risk Analysis? Inputs

Inputs to aid risk analysis can include the elements listed below. Note: The grouping (input, process, output, feedback) is purely...

51 views0 comments

How Should You Structure Likelihood and Consequence Tables?

jt

Jun 15, 20201 min read

How Should You Structure Likelihood and Consequence Tables?

There is no single correct way to express likelihood or consequence tables. Each organization needs to consider their context and develop...

459 views0 comments

Probability and Modelling Risk Expectancy

jt

Jun 8, 20203 min read

Probability and Modelling Risk Expectancy

Probability of an Event One of the challenges with Security Risk Assessment is the analysis of rare but catastrophic events. Events for...

81 views0 comments

jt

Jun 1, 20201 min read

What is the Stroud Matrix?

The objective of this tool is to aid discussion and provide an initial categorization of risks into four groups: BUSINESS AS USUAL (BAU):...

267 views0 comments

What are Risk Matrices, and Should I Use Them?

Julian Talbot

May 25, 20203 min read

What are Risk Matrices, and Should I Use Them?

Risk matrices are commonly used in many risk management practices. There are a number of issues with risk matrices and overall, I would...

2,184 views0 comments

jt

May 18, 20202 min read

How Do You Estimate Risk?

Risk is an abstract concept and humans are notoriously bad at predicting it.¹ A 1%chance of an event occurring does not mean that it...

61 views0 comments

jt

May 11, 20202 min read

How Can We Effectively Use Our Risk Management Findings and Recommendations?

When conducting a security risk assessment, it is important to document some of the key findings as evidence to support the risk register...

36 views0 comments

What is the Analysis of Competing Hypotheses?

jt

May 4, 20201 min read

What is the Analysis of Competing Hypotheses?

Analysis of competing hypotheses¹ (ACH) is a process whereby you identify a set of hypotheses, systematically evaluate data that is...

8,276 views0 comments

Are Existing Security Management Systems Good Enough?

jt

Apr 27, 20202 min read

Are Existing Security Management Systems Good Enough?

Adequacy of Existing Controls The ‘adequacy’ score is intended to provide an insight into the operational effectiveness of existing...

1,309 views0 comments

jt

Apr 20, 20202 min read

What is the Admiralty Scale?

The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation,...

10,387 views0 comments

jt

Apr 13, 20202 min read

What Is Enterprise and Security Risk Management?

Enterprise security risk management (ESRM) includes the methods and processes to manage security risks and realize opportunities related...

87 views0 comments

jt

Mar 30, 20201 min read

What Is the ISO31000 Process?

ISO31000 Process The key stages of the security risk management process (as per ISO31000:2018) are: Scope, Context, and Criteria Risk...

305 views0 comments

How Do Intent and Capability Relate to Assessing Threat?

jt

Mar 16, 20202 min read

How Do Intent and Capability Relate to Assessing Threat?

Intent & Capability Threat can be evaluated as a combination of Intent & Capability. Intent and Capability both comprise other elements...

5,181 views0 comments

What are Threat Acts and Threat Tolerance?

Julian Talbot

Mar 9, 20201 min read

What are Threat Acts and Threat Tolerance?

Threat tolerance can be a very subjective thing but there are some ways to make it more consistent.

89 views0 comments

Julian Talbot

Mar 2, 20201 min read

What Are Threat Actors?

A threat actor is a participant in an action or process. But what is the difference between a hazard and a threat?

90 views0 comments

How to Compile a Security Risk Assessment?

jt

Feb 24, 20201 min read

How to Compile a Security Risk Assessment?

SRA and ISO31000 There are many ways to conduct a Security Risk Assessment (SRA). The graphics below are adapted from ISO31000:2018 Risk...

171 views0 comments

How Should We Treat Risks? The Hierarchy of Controls

Julian Talbot

Feb 17, 20201 min read

How Should We Treat Risks? The Hierarchy of Controls

The hierarchy of controls is based on the concept that not all risk treatments are equally effective. For example a handrail at the top...

230 views0 comments

What are Risk Criteria, Scope and Risk Tolerance?

Julian Talbot

Feb 10, 20201 min read

What are Risk Criteria, Scope and Risk Tolerance?

How to set risk criteria, scope and tolerances without all the jargon.

4,610 views0 comments