The proposed approach is self-directed, meaning that people from an organisation assume responsibility for assessing the risks, selecting controls and thus setting the organisation’s security strategy. This technique leverages people’s knowledge of their organisation’s security-related practices and processes to:

•  capture the current state of security practice within the organisation,
•  identify risks to the most critical assets,
•  prioritize areas of improvement and set the security strategy for the organisation.

The objectives behind the introduction of this risk assessment and risk management approach are to:

• Improve existing Information Security Thresholds. The approach can be used as a catalyst to accelerate SME efforts towards information security risk management by addressing high risks. Furthermore, by targeting typical threat scenarios it will ultimately improve existing information security thresholds.
• Fulfil business requirements, context, and constraints typically found in SMEs environments by avoiding specialized terminology and eliminating highly demanding tasks incorporated in almost every existing, wide-spread professional methodology and industry standard (i.e. asset evaluation, business impact analysis, identification of security requirements etc.).
• Use a self-directed approach tailored to the means, resources and expertise typically found in an SME environment.
• Focus on critical assets and highest risks. The method was developed as a simple and easy guide for identifying and protecting assets judged to be most critical to the organisation.
• Develop a measure-independent risk assessment and management method. For the purpose of producing a first practical and realistic output

Our next installment – IT Risk & Security : Working Assumptions