¶ Learn about organisation's risk, threats, and concerns
Goals
- Adversary capacity and history
- Learn what the threats are
Requirements/Inputs
Elements
- Context research
- open sources research on organization and its network
- Risk modeling
- Identifying impacts of threats
This is a useful tool to use in advance of or at the beginning of a digisec training. There is a useful template here on MindTools.
Steps you can probably take:
1. Draw the matrix on flip chart and stick on the wall.
2. Distribute stick-it notes among the trainees - give each one perhaps 2-3
3. Have a plenary discussion about what sort of risks they perceive to confront them in their line of work or general
4. At the end of the discussion, ask them to each write on the sticky notes, the specific risks most immediate to them
5. Explain the Risk Impact vs Probability assessment matrix diagram you have put up.
6. Ask them to place their sticky notes according to how they perceive the possible impact that would have on them.
Advice:
- I find it useful at the end of the exercise, to take a moment with the other trainer (if there) or by yourself, to create a priority list of the tools you are going to train, based on what the participants have plotted as their highest risks with highest impact.
- Have also seen this to be a good thing because they get to understand that you will impart knowledge that is most relevant to their outstanding needs first, although in logical order.
- Also helps establish understood terminology of the audience. For example: for some people, email is the same as websites to them. So when you ask about website hacking/defacement, they may really mean email issues.
- Can be used throughout the training. Each topic of the training essentially aims to move the Post-It notes down and left (the green/good zone). It ties in the topics to solutions of their identified threats.