Advanced Risk Management
- Buy now
- Learn more
- Discussions
- Course Motivation
0.0 Shifting from technical execution to strategic risk management.

The Strategic Imperative of the Security Function
IBM - Motivation for Risk Analysis in CyberSecurity (11 min)
Google - Security Frameworks (30 min)
Introduction: The Evolution of Security Management
1. Introduction to ISO/IEC 27005 and information security risk management

Introduction: The Evolution of Risk Management Standardisation
International Standardisation: ISO 31000 versus ISO 27005
The ISO Risk Management and other frameworks
The Psychology of Risk Perception and Decision-Making
The ISO 31000 Architecture: Principles, Framework, and Process
Review of Risk Assessment Methodologies (IEC 31010)
Scope, Context, and Criteria
Leadership, Governance, and Corporate Commitment
Quiz01 - Risk Management [Day01]
2. Information Security Risk Identification, Assessment, and Treatment (ISO/IEC 27005)

Delayed 1 days

Identification and description of information security risks
Identification of risk owners
Assessment of potential consequences
Determination of risk levels
Comparison of risk analysis results with established risk management criteria
Risk prioritization
Determination of required controls for risk treatment
Risk treatment plan
Quiz02 - Risk Identification, Assessment and Treatment [day2]
3 - Risk Acceptance, Communication, Monitoring and Review

Delayed 2 days

Key Take aways (Module 01 - Module 02)
Quiz03 - Recap - Session 1 & 2
Communication and Consultation of Results
Documentation of the Risk Analysis Process
Documentation of Results
Monitoring of Risk-Generating Factors
Deep Dive: Navigating Complexity with ISO/TS 31050 and the Risk Intelligence Cycle
Future-Looking Challenges for Risk Management and ISO/IEC 27005
4 - Risk Assessment Methodologies

Delayed 3 days

The Methodological Shift: Transcending Traditional Frameworks
Technique 1: STRIDE for Cloud and PaaS Architectures
Technique 2: Subjective Evaluation of Opaque AI Risks
FMEA, Red Teaming, and Risk Register Integration
Risk Monitoring Processes
Part A - Scenarios for Cloud and AI Environments (Practice Lab)
Part B: Procedure to Execute an FMEA Analysis
05 - ISO 27005 Risk Assessment Using FMEA

Delayed 4 days

Process Overview - Lab: AI and Cloud Services
Quiz - Simulation exam
Quiz - summary

Introduction: The Evolution of Security Management

1. Motivation

The field of information security has evolved over thirty years from a technical back-office role to a key part of enterprise risk management and governance. It now creates the legal, ethical, and philosophical frameworks for managing security as a business function, beyond just controls. As threats like cyberwarfare, supply chain risks, and regulations grow, security professionals must shift from technologists to strategic risk advisors.

We must navigate a complex ecosystem in which the confidentiality, integrity, and availability (CIA) of data are essential to operational viability. This requires an understanding of how security aligns with business strategy, the legal implications of data management, and the application of due diligence.

2. Security Governance and Strategic Alignment

Security governance encompasses the responsibilities and practices undertaken by the board and executive management to provide strategic direction, ensure the achievement of objectives, manage risks effectively, and verify responsible utilisation of the enterprise's resources. It serves as the link that connects the technical implementation of security controls with the organisation's strategic aims. Without effective governance, security initiatives often become misaligned with business needs, resulting in resource wastage and unmitigated risk.

2.1 The Philosophy of Business-Aligned Security

The primary directive for any security function is to ensure it enables the business. Historically, security departments were often perceived as the "department of no," focused exclusively on risk avoidance. However, in the digital economy, risk is an inherent component of value creation. Therefore, governance must shift toward "business-aligned security," in which security strategies are derived directly from, and support, business goals.

If a business strategy involves rapid expansion into new international markets via cloud services, the security strategy must prioritise cloud security governance, identity federation, and scalable compliance monitoring. It should not block cloud adoption due to inherent risks, but rather implement controls that bring those risks within the organisation's appetite. This alignment requires integrating cybersecurity into strategic planning processes, including mergers and acquisitions (M&A), product development lifecycles, and supply chain selection. This "shift left" approach in governance ensures that security considerations are addressed during the design phase of business initiatives, often referred to as "Security by Design", thereby reducing the cost and complexity of retrofitting controls later.

We should articulate security investments in business terms rather than in technical metrics such as "vulnerabilities patched" or "firewall packets dropped." Governance reports should emphasise business outcomes, protecting revenue, preserving brand reputation, ensuring operations, and avoiding fines. Translating technical risks into business risks is key to strategic alignment.

2.2 Roles and Responsibilities in Governance

Effective governance requires a clearly defined organisational structure where roles, responsibilities, and decision-making authorities are unambiguous. The separation of duties and the establishment of clear reporting lines are critical to prevent conflicts of interest and ensure accountability.

2.2.1 Senior Management and the Board of Directors

Senior Management and the Board of Directors hold ultimate responsibility for an organisation's security, defining risk appetite, practising Due Care, and approving policies. They delegate implementation but retain responsibility for security and ensure proper funding and resources.

2.2.2 Data Roles: Owner, Custodian, and User

The governance of data requires a specific hierarchy of responsibility to ensure accountability.

Data Owner: Typically a senior business executive or manager who bears ultimate responsibility for a specific dataset or information asset. The Data Owner is liable for protecting the data and must determine its classification level (e.g., Confidential, Secret, Top Secret) based on the data's value to the organisation and the impact of its loss. They define the business requirements for access and authorise user privileges in line with the principle of Least Privilege.
Data Custodian: Typically, an IT professional or system administrator responsible for the technical implementation of the controls defined by the Data Owner. They perform day-to-day data security maintenance, including running backups, applying encryption, configuring access control lists (ACLs), and managing data retention and disposal. They act as the "hands" of the Data Owner.
Data User: Any employee, contractor, or third party who accesses data to perform their job duties is a Data User. They have a responsibility to adhere to the organisation's security policies, such as Acceptable Use Policies (AUP), and to handle data according to its classification. They must exercise Due Care in their daily operations, such as locking workstations and not sharing passwords.3

2.3 Security Control Frameworks

To manage security consistently and measurably, organisations adopt security control frameworks. These frameworks provide a structured methodology for identifying risks, selecting controls, and auditing compliance. They allow organisations to benchmark their security posture against industry best practices.

The NIST Cybersecurity Framework (CSF) has gained traction in the private sector due to its accessible language and its organisation of security activities into functions that non-technical executives can understand: Identify, Protect, Detect, Respond, Recover, and the recently added Govern function, which emphasises the role of leadership in security.

3. Risk Management Concepts and Frameworks

Risk management is the iterative process of identifying, assessing, and responding to risks to keep them within acceptable levels.

3.1 Risk Assessment Methodologies (NIST SP 800-30)

NIST SP 800-30 Rev 1 (Guide for Conducting Risk Assessments) defines risk assessment as a four-step process:

Prepare: Establish the context, scope, purpose, and constraints of the assessment.
Conduct: Identify threat sources (adversarial, accidental, structural, environmental) and threat events. Identify vulnerabilities and predisposing conditions. Determine the Likelihood of occurrence and the Impact (Magnitude of harm). Risk = Likelihood × Impact
Communicate: Share results with decision-makers to support risk response.
Maintain: Monitor risk factors over time (continuous monitoring) to account for environmental changes.

3.2 Quantitative Risk Analysis

Quantitative analysis attempts to assign objective monetary values to risk components. This enables a cost-benefit analysis of security controls.

Key Metrics:

Asset Value (AV): The financial worth of the asset (e.g., $100,000 database).
Exposure Factor (EF): The percentage of loss a realised threat would cause (e.g., a fire might destroy 60% of the server facility).
Single Loss Expectancy (SLE): The monetary loss from a single occurrence of the threat. SLE = AV \times EF
Annualised Rate of Occurrence (ARO): The estimated frequency of the threat per year (e.g., once every 10 years = 0.1; twice a year = 2.0)
Annualised Loss Expectancy (ALE): The expected yearly financial loss from this risk. ALE = SLE \times ARO

Cost-Benefit Analysis: To determine whether a safeguard (countermeasure) is financially viable, the safeguard's cost must be less than the risk it mitigates.

3.3 Risk Response Strategies

Once risk is analysed, senior management must decide how to handle it. There are four primary strategies:

Risk Avoidance: discontinuing the activity that causes the risk (e.g., shutting down a vulnerable legacy server).
Risk Mitigation (Reduction): Implementing controls to lower the likelihood or impact (e.g., installing a firewall).
Risk Transfer (Sharing): Passing the financial impact to a third party (e.g., purchasing cyber insurance).
Risk Acceptance: Acknowledging the risk and choosing to operate with it, usually because the cost of mitigation exceeds the potential loss. This must be formally signed off by senior management.

3.4 The Risk Management Framework (RMF) - NIST SP 800-37

The NIST RMF (SP 800-37 Rev 2) provides a lifecycle approach to security authorisation. It integrates security, privacy, and supply chain risk management. It consists of seven steps :

Prepare: Essential organisational and system-level preparation.
Categorise: Categorise the system and information based on impact (FIPS 199).
Select: Select the baseline security controls (NIST SP 800-53).
Implement: Deploy the controls and document their implementation.
Assess: Determine whether controls are correct, operate as intended, and produce the desired outcomes (NIST SP 800-53A).
Authorise: The Authorising Official (AO) grants the Authority to Operate (ATO) based on the risk.
Monitor: Continuously monitor the system and controls for effectiveness.