This page introduces the intent behind the NCSC's risk management guidance, and how to best use it.
Why is the NCSC talking about risk management?
Our economy, society and individual lives have been transformed by digital technologies. They have enabled improvements in science, logistics, finance, communications and a whole range of other essential activities. As a consequence of this, we have come to depend on digital technologies, and this leads to very high expectations of how reliable these technologies will be.
Every organisation has to make difficult decisions around how much time and money to spend protecting their technology and services; one of the main goals of risk management is to inform and improve these decisions. People have had to deal with dangers throughout history, but it’s only relatively recently that they’ve been able do so in a way that systematically anticipates and aspires to control risk.
The purpose of this guidance is to give you a range of risk management techniques which will help you improve the decisions you make with regard to cyber security.
Guidance for everyone
This guidance is aimed at a range of different audiences, from non-technical staff, through those who communicate cyber risk assessments, to people who make decisions which are informed by cyber risk assessments. This is because in order to be useful, cyber risk management needs to be understandable by people with no formal knowledge of risk.
Risk management techniques
The guidance as it stands presents two very different (but complementary) techniques of looking at risk.
- Component-driven risk management focuses on technical components, and the threats and vulnerabilities they face.
- System-driven risk management takes the opposite view, and analyses systems as a whole.
Note that we'll be introducing different techniques in future editions of this guidance. When we do, we'll describe the types of problem each technique is suitable (or not) to apply to. To be clear, we do not provide blueprints and step-by-step instructions on how to apply techniques that are already out there. But we will describe some of the core concepts behind each type of technique, and signpost to more detailed guidance on how techniques can be practically applied.
An end to 'tick-box' risk management
As we will discuss in the fundamentals of risk section, carrying out cyber risk management solely for 'compliance' purposes can lead to risk being managed in a 'tick-box' fashion, with unintended negative consequences. This can prevent organisations questioning whether they have ticked the right boxes, leading to overconfidence in how well risks have been managed.
For these reasons, this guidance is not prescriptive; tick-box risk management can be worse than no risk management at all. This is why we are introducing distinctly different types of cyber risk management technique in this guidance. No single technique in this guidance will be useful in every situation. When selecting a risk management technique to be applied to a particular cyber security problem, it is not sufficient to justify that selection by pointing to its presence in this guidance. You'll need to explain why the technique you've selected is relevant to your problem.
Where to start?
If you're not sure where to start, or if you'd like to suggest topics to be approached in the next version of this guidance, please get in touch.