Skip to content

Risk Management

Managing Risk

Calculate & Handle Risk

Practical
Link Description
Phil Venables 12 Step Guide on Escalating Risk and Security Issues
  1. Manage to Escalation Thresholds
  2. Create and Use Ceremonies
  3. Forewarning Escalation
  4. Building and Testing the Escalation Pipes
  5. Practices to Build a Culture of Risk Openness
  6. Reward the Messenger
  7. Escalate Issues Not Perceived Negligence
  8. Educate Yourself
  9. Circumvent Escalation
  10. Look for Escalation Failures in Incident Reviews / Post-Mortems
  11. Look for Escalation Opportunities in Pre-Mortems
  12. Whistle-blower Programs
Phil Venables Risk Appetite and Risk Tolerance - A Practical Approach
  1. Define the Enterprise Risk Management Framework
  2. Develop a Risk Taxonomy
  3. Define Risk Limits and Thresholds
  4. Defined Levels of Approval for Policy Deviation
  5. Establish a Governance Framework
  6. Measure Effectiveness and Adjust
magoo The value of risk organizations

OKRs

Link Description
magoo A key performance indicator for infosec organizations Using probabilistic risk KPIs to direct complex risk engineering efforts
  • > N regrettable customer exits resulting from aSEV0
  • Any party in {set of regulators} formally discusses a SEV0 with us
  • A SEV0 with >$10M of losses
  • A {set of bloggers and newspapers} publishes commentary on a SEV0
  • A SEV0 has confirmed, unauthorized access to customer data
  • >% of total users impacted by a SEV0 involving an explicitly defined failure
magooHow to measure risk with a better OKR How to write probabilistic OKRs
ElementDescriptionExample
OBJECTIVEWrite an objective with a “risk scenario”Reduce the risk of “An adversary has accessed production from a developer laptop in Q3.”
KEY RESULTSChoose milestones or metrics, and commit to a forecast
Building effective security OKRs

Communicating Risk

Link Description
magoo Communicating risk across complex teams Using threat modeling techniques for organizational risk planning
magoo Decomposing security risk into scenarios Tabletop scenarios are an efficient means of communicating risk
magoo A risk based security project Driving an awareness project with a risk measurement ethos

Forecasting

Practical
Theory
Examples
Others