Blog post

Coming soon: *new* guidance on Risk Management for Cyber Security

Created:  30 Oct 2017
Updated:  30 Oct 2017
Author:  John Y

We mentioned in a previous blog that the NCSC is working on producing some guidance on risk management for cyber security. The first stage of this guidance is nearly ready and will be delivered to you as an early Christmas present. Before that, we wanted to give you an overview of what this guidance is, and what our customers will get from it.


Why is the NCSC producing guidance on risk management?

CESG (one of the NCSC’s precursor organisations) produced standards and guidance on cyber risk management for years. Many other organisations produce similar products. What does the NCSC hope to add to this picture?

Most cyber risk management guidance presents an individual risk management technique, or a managerial 'wrapper' within which any risk analysis technique could fit. Our forthcoming guidance will present a range of different risk management techniques. So, where we have previously talked about one technique, now we are talking about a toolbox of techniques.

This toolbox will draw on insights, concepts and methods from other established domains of risk management (such as industrial safety engineering) and apply them to cyber security. Our research around these other domains of risk management tells us that there are broad categories of risk management technique, which are fundamentally different from each other. Different tools within these different categories add value in totally different ways. Our guidance aims to identify these techniques, and explain what they’re good (or not so good) at.


Why a toolbox?

The short answer is that there is no single method for doing risk management for cyber security which can be applied universally, to good effect.

CESG had spent many years promoting a single method for conducting cyber risk management within the UK government. This experience has shown us that mandating the use of specific techniques across a field as broad as the UK public sector, can have unintended consequences. Risk management for cyber security is simply too complex to be managed using a single method. One consequence of recognising this is that cyber risk managers will need to know which kind of technique is best applied to which kind of problem. As such, this guidance will be neither prescriptive nor a standard. It will never be correct to say that someone has ‘complied’ with our guidance - only that they have considered it in light of the problem at hand.


What’s in the toolbox?

We're delivering this guidance in stages. The first stage, to be released shortly, will include some discussions of the fundamentals of risk management (why we do it, how it can improve cyber security). It will summarise how to 'get the basics right' if you're a small organisation with few resources to spend on cyber risk management. It will also present two very different (but complementary) ways of looking at risk.

  • The first approach focuses on technical components, and the threats and vulnerabilities they face. We call this 'component-driven risk management'.
  • The second takes the opposite view, and analyses systems as a whole. We call this 'system-driven risk management'.

The techniques we cover are all based on an ongoing programme of research by the NCSC's Sociotechnical Security Group. As we progress our research, we will add further types of cyber risk technique to this guidance. We intend to cover causal analysis of cyber risk (such as attack trees), techniques for quantitatively analysing cyber risk, and discussions of the perception & communication of cyber risk. We will also supplement this guidance with a series of blogs and worked examples, which will add some real-world context.


No jargon, no buzzwords

The last thing we want to do is produce a huge document that nobody will read. So, we’ll be ruthless with size. No jargon, no buzzwords, just succinct and useful guidance. Where we must introduce new terms, we will make sure they are clear.

We also recognise that the NCSC’s customer base is hugely varied, particularly according to how much resource it is appropriate to spend on cyber risk management. To meet these varied needs, we will clearly indicate how smaller organisations should approach cyber risk management. We will then separate this message from guidance on more expensive methodologies. The aim here is to make it clear what ‘good enough’ looks like, for those working with very limited resources.

The NCSC's current risk management collection will be retired. Don't worry, all the useful stuff from there has been taken out and repurposed. The collection includes two pieces on security governance. We will be keeping these for the time being, but we will be adding to them in the near future.


Get involved!

We are developing this guidance in collaboration with a range of external partners, and we’re more than happy to take comments and suggestions from anyone. We're particularly keen to get feedback once we've published guidance. If you’re interested in what we’re talking about here, and would like to be involved, do get in touch


John Y

Risk Research Lead


We are hugely grateful for the input, advice and comments from partners outside the NCSC, who have helped us in the development of this guidance. We have discussed it with colleagues from a large number industry and government organisations, and we are very grateful for their input at every stage of this development. Specifically, we'd like to thank Prof. Adam Burgess from Kent University, Prof. Mike Power from the London School of Economics, Dr. Jerry Busby from Lancaster University and Dr. Daniel Dresner from Manchester University, for their detailed and valuable comments on the first draft of this guidance.


Thomas Smith - 31 Oct 2017
This is good news - IS1/2 standards are getting long in the tooth and are sorely in need of replacement in this modern “agile” age of “digital” government. One question: a lot of existing government processes and contacts mandate adherence to IS1/2 and production of a Risk Management Accreditation Document Set - how have you handled this aspect?
John Y - 01 Nov 2017
Hi Thomas,

Thanks very much for your comment. One thing to make clear - this guidance will not be a standard. We're introducing some risk management techniques which we have confidence in. We'll be talking about the principles behind different types of technique, and then pointing out to external resources which provide a range of different ways of implementing those principles.

The issue around contracts has come up a lot. To be clear, this guidance doesn't aim to solve that problem, it's just about introducing a broader range of risk management techniques. As we say above: "this guidance will be neither prescriptive nor a standard. It will never be correct to say that someone has ‘complied’ with our guidance - only that they have considered it in light of the problem at hand."

Thanks again for getting in touch - hope that helps answer your questions.
Chris Myers - 05 Nov 2017
We are constantly being reminded that security risk feeds business risk and that we should insure IS risk in incorporated into the wider corporate risk model. I see here the IS components of risk management (based on title alone) - 'component-driven risk management' and 'system-driven risk management' - is there not a third strand indicated of business-driven risk management.
Geoff E - 06 Nov 2017
Hi Chris,

The first release of the risk management guidance will be presenting some fundamental concepts and techniques, including component and system-driven approaches. Our intention is to distinguish between these two different but complementary approaches, and explain how they are applicable to all types of risk. Context (be it IS or business, or anything else), will then direct the different ways in which you would apply these approaches.
Nicola Whiting - 09 Nov 2017
Happy to help with messaging to SMEs. It's an area I'm particularly passionate about and as Titania (our company) were UK SME of the year, and one of this years Queens Award winners (for Innovation in Cyber) we might be useful as Babelfish. ;)
Geoff E - 10 Nov 2017
Thank you for your interest Nicola and your offer of support. We will bear this in mind!
Jim Leigh - 14 Aug 2018
Great article and thank you so much for sharing. The article was broken down and very clear so it was easy to understand and read. I liked the perspective that you have taken when writing the article. A consultant from JLB in Adelaide, South Australia has put into effect an Information Security Management System for our company based in Perth, Western Australia. We have noticed a huge change throughout the company and have also noticed a change when it has come to external and internal audits. All of the staff throughout the whole company have all been on the same page and have been more aware of things that can happen through our IT System. The audits have been easier as everything is now all in the same place and no one has to go trekking all over the office to find certain documents.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No