It comprises some introductory material which supports two very different (but complementary) techniques of looking at risk.
- Component-driven risk management focuses on technical components, and the threats and vulnerabilities they face.
- System-driven risk management takes the opposite view, and analyses systems as a whole.
Note that we'll be introducing different techniques in future editions of this guidance. When we do, we'll describe the types of problem each technique is suitable (or not) to apply to.
To be clear, we do not provide blueprints and step-by-step instructions on how to apply techniques that are already out there. But we will describe some of the core concepts behind each type of technique, and signpost to more detailed guidance on how techniques can be practically applied.
A common thread runs through all of this guidance; cyber risk is too complex to be managed using a single method. To manage cyber risks effectively, we need to be able to apply a variety of different techniques. This requires us to understand the strengths and weaknesses of the techniques we're familiar with, so that we can select and apply alternatives.
This guidance is a part of the NCSC's own learning process. That process begins with our own research, but then is guided by feedback from people who use it and apply it. For this reason, we'd like you to give us your feedback. What do you like about it? What don't you like? What would you like to see in the next phase of this guidance? Have you applied any of it? If so, please let us know.
We do hope you find the guidance useful.
Risk Research Lead