There is a great diversity of opinion on where and how best to protect information systems. It is common for so-called “experts” to disagree, sometimes quite fervently. To obtain a clear and consistent view of a sound security control environment, the best practice approach is to apply risk management decision making processes. Good risk management ensures that no weak links in the (security) chain are overlooked and the most important issues are made a priority. It also demonstrates to your business executives why your security program makes business sense.

Risk management is not rocket science, but it is a significant departure from the traditional control and vulnerability based approaches to cyber security design and information security management. This tutorial provides practical information and tools to help you conduct an effective information security risk assessment and implement a risk based security plan to manage security for your organisation.

At this tutorial you will be provided with the skills and techniques to assess and evaluate the priority of cyber security risks. This involves translating the risks into your information into a business context for your senior management. This tutorial will assist technologists and IT managers to determine their work priorities and to enhance their credibility with senior management. The tutorial includes a workshop that develops a risk assessment for a hypothetical situation.