In this video I break down the NIST SP 800-30 definition of risk and the purpose of risk management.

The A3 technique was originally created by Toyota as a problem solving method. The name A3 comes from the fact that when the process is complete, all of the relevant information can fit on a standard A3 size piece of paper.

While the A3 technique was originally designed for problem solving during manufacturing, it can also be a valuable tool for risk management. The A3 technique can be used to guide the risk management process and ensure that all critical information is captured in a concise manner. Below is an example of analyzing a category 5 hurricane risk event using the A3 technique:

So, you have identified a risk in your organization or project ... now what?  When a risk is identified there are four strategies you can use to address it.  The strategies can be remembered using the acronym ACAT:

1. Avoid
2. Control
3. Accept
4. Transfer

Cyber security is a two-sided coin; on one side are all of the technical controls needed to maintain security and on the other the operational processes required to manage them.  Just like a coin, both sides need to be in tact for it to be whole.

Unfortunately many organizations dedicate a disproportionate amount of resources to technical controls at the expense of properly managing their operational processes.  It is not uncommon for such organizations to spend large sums of money on the latest technical security gadget only to find themselves getting hacked anyway.