Security Watercooler: Cyber Risk Universe, with CISO Mentor's Phil Huggins

Monday, 30 March, 2020

This week we are trialling an idea around a virtual ‘Security Watercooler’. 25~30 min video calls to break up the day and showcase different viewpoints. Check out more about the concept here.

Today Robin Oldham was joined by CISO Mentor‘s Phil Huggins to discuss the cyber risk universe. Here are the summary notes from the call:


Phil and Robin have been working on a project ‘Open Information Security Risk Universe’ that is available, in part and as a PDF, on GitHub here: https://github.com/oracuk/oisru.

Stems from having spent time working alongside actuaries and operational risk specialists in a big, regulated financial services business and observing how they approach risk management using modern techniques we haven’t adopted in security risk.

A risk universe provides a framework by which to:

  • Categorise things that have happened in the past, and
  • Think about what may happen in the future (and look for gaps.)

It sits at the ‘risk identification’ stage (rather than ‘risk analysis’ or ‘risk evaluation’) of a risk assessment. See the Intro chapter for more info and a diagram.

You can use a risk universe to build a rich risk scenario in business language, then extract components the taxonomy describes and use that to drive typical cyber risk assessment, appropriate controls, etc.

A good risk scenario explains what happens to the business, rather than ‘control failures’ (e.g. “there is a risk that the firewall lets hackers onto our network.”)

How do you separate out ‘short term’ and ‘long term’? How do you accommodate dynamic week-by-week vs month-by-month vs year-by-year?

There is a tendency to focus on false precision - e.g. rather than ‘two mediums’ reporting ‘we have 3,485 vulnerabilities’ - because the ‘two mediums’ lacks definition and changes infrequently.

Adopting a quantitative approach, rather a than qualitative one allows you to reflect changes more quickly.

It also allows you to use proven mathematical methods to aggregate risk in a way that isn’t possible when trying to combining ‘two mediums and one red.’

In infosec we get caught up with worrying about protecting CIA, and communicating that, rather than the consequences of a breach: financial penalties, customer churn, etc. The risk universe can help here by prompting to think about those consequences.

In broader enterprise risk management Cyber is interesting as it is both a trigger-for and consequence-of other enterprise risk scenarios.

You can follow Robin on LinkedIn and @RTO and Phil on LinkedIn and @oracuk.


Use this Google Form to register and receive joining instructions for future Security Watercooler sessions.

Tomorrow, Tuesday 31st, join us at 14:00 BST for PROTECT: Focus during the distractions: security awareness at home, with ThinkCyber‘s Tim Ward.