Risk Management
Managing Risk¶
Calculate & Handle Risk¶
Practical
- Simple Risk Analysis: a quantitative, probabilistic risk measurement method
- ⭐️ Minimalist Risk Management: documentation to describe a simple risk management program
| Link | Description |
|---|---|
| Phil Venables 12 Step Guide on Escalating Risk and Security Issues |
|
| Phil Venables Risk Appetite and Risk Tolerance - A Practical Approach |
|
| magoo The value of risk organizations | ![]() |
OKRs¶
| Link | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| magoo A key performance indicator for infosec organizations | Using probabilistic risk KPIs to direct complex risk engineering efforts
|
|||||||||
| magooHow to measure risk with a better OKR | How to write probabilistic OKRs
|
|||||||||
| Building effective security OKRs |
Communicating Risk¶
| Link | Description |
|---|---|
| magoo Communicating risk across complex teams | Using threat modeling techniques for organizational risk planning |
| magoo Decomposing security risk into scenarios | Tabletop scenarios are an efficient means of communicating risk |
| magoo A risk based security project | Driving an awareness project with a risk measurement ethos |
Forecasting¶
Practical
- Simple Risk Measurement: Forecasting playground
Theory
- Risk for Engineers
- A risk decomposition walkthrough
- Prediction of Adversarial Risk
- Scoring a risk forecast
- Quantifying your unknowns: A case for estimation in cyber security
- Forecasting techniques and measurement
- Attribution: Avoiding "We got 'em"
- Describing Vulnerability Risks
- Valuation of Non-Monetary Penalties
- Troubles with quantified risk
Examples
Others
- Evidence of Absence: It’s impossible to prove that you haven’t suffered a security breach
- The next 50 years of cyber security: Making our risks as quantifiable and predictable as the weather
