1

To says things simple ; when someone wants to learn offensive web application (or system) hacking, one could just download OWASP DVWA or register to Hackthebox and watch Ippsec videos to see "how to walk the walk". This is very tangible and practical (no theory circle)

But what about risk analysis (ex : ISO 27005, NIST SP 800-30, EBIOS, etc...) ? The only thing I see on the internet is tons of theoretical paper about why those methods are so great etc... There is no practical use case showing how it was applied in more specific situations.

I understand it may be not a good idea to publish your organization risk analysis results on internet but how are we (beginners) suppose to do it ?

Any idea where I should start or look into to get a more realistic practical overview of IT security risk analysis ?

Improve this question
2
  • 1
    Typically for EBIOS RM, ANSSI provided an example of a full security risk assessment (about a vaccine company btw) ssi.gouv.fr/uploads/2019/11/… Commented May 17, 2021 at 8:17
  • @AntoninM. Indeed. It's very well done. I read it. I wish there was more like it so I can compare. Thank you Antonin Commented May 18, 2021 at 10:47

2 Answers 2

Reset to default
1

Indeed, your point about publishing public risks on critical assets of an enterprise is probably the main reason why the practical side of risk management is not as visible compared to offensive security for example.

However, if you are interested in that particular subject, there are multiple resources that you can refer to in order to gain experience. For example, the book Security Risk Management is a great reference to actually start a risk management program for a company from scratch, it has a lot of real-life examples and concepts that can be directly applied.

You can also get certifications or courses from experienced instructors (for example CRISC) this kind of training will put you in very similar risk assessments situations so that you can gain tangible experience in information security risk management.

Improve this answer
1

The reason why there is a difference is that there is no "right" answer when it comes to the output of a risk process. There is only a process and a best-guess based on context, goals, and tolerance.

Quantitative risk assessments are a thing, but there is no need for "practice" for this since it is formula-based. You just plug the numbers into the chosen formula or algorithm.

If you are reading and finding only about processes, then that's why.

Improve this answer
5
  • Hello. Ha ha ha. I read that sentence "no right answer" on multiple articles. That's why I asked the question. Bear with me : for instance, for exploiting a vulnerability, one could use metasploit or a payload found on github. There is no right or wrong here unless the vulnerability is actually exploited. The analogy here is I don't find good reliable practical usages of risk analysis method (whatever the output since as long as it identifies risk according to the methodology it's good). You see what I mean ? Commented May 17, 2021 at 21:42
  • No, I do not see what you mean. You are echoing what my answer says. And you are mixing up your terms. identifying risks is a different process from assessing risks. The output of an assessment is an assessment in line with the process. What practical outcome can there be? Let's say we go with a Likelihood x Impact model of assessment. You can determine likelihood in multiple different ways, as well as impact. Whichever you choose, you will have assessed based on that model. Commented May 18, 2021 at 11:46
  • If you use a qualitative method, then "Likelihood" can be "high/med/low". "Impact" can also be qualitative "high/med/low". So, pick a threat (let's say ransomware). What's the likelihood for your risk context? Let's say High for this example. What's the impact for your risk context? Let's say High. So, your risk in this context is "High/High". That result could be represented in many different ways (heat maps, matrices, etc.) There's your practical example. But that likely isn't satisfying as an answer. What you probably want is all the nuanced/subtle bits around all that. Commented May 18, 2021 at 11:54
  • But all those nuanced/subtle bits cannot be encapsulated in "practical, written tutorials". It would be like trying to teach "persuasive writing" via tutorials. You can teach the method, but you need to apply the concepts to your particular context. Commented May 18, 2021 at 11:59
  • I see what you mean. I did not mean no harm with my previous comment, just it's a bit confusing for me Commented May 18, 2021 at 17:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.