I would like to ask for the following enhancement: in many modern regulations (e.g. EU NIS2), the regulators require an all-hazards approach to cyber risk management. in order to do that one would take a hazards catalog (or a threat catalog or whatever helps) and then iterate over all hazards and identify risks for them.
the advantage is clear: one can be "sure" to have looked at "all" angles from which risks could stem from and not have fallen into the trap of certain experiences. (e.g. building managers only identfying risks for physical building acces/fire/floor etc. while cyber people only identify risks for cyber attacks)
I would like to ask for the following enhancement: in many modern regulations (e.g. EU NIS2), the regulators require an all-hazards approach to cyber risk management. in order to do that one would take a hazards catalog (or a threat catalog or whatever helps) and then iterate over all hazards and identify risks for them.
the advantage is clear: one can be "sure" to have looked at "all" angles from which risks could stem from and not have fallen into the trap of certain experiences. (e.g. building managers only identfying risks for physical building acces/fire/floor etc. while cyber people only identify risks for cyber attacks)