Enterprise risk management

How do companies face and manage risks currently? Do their diverse risk management functions still work in silos? Where does information security fit in this risk management puzzle? Among others, these questions are the triggers for an academic information security study that is presented in this site.

The study investigates how the link of information security with operational risk management brings benefits to any organisation. It has the following sections:

Executive summary
The risk house model
Outcome of the survey: Demographics
Outcome of the survey: Interpretation
Literature review: Thinking path
Literature references
Literature review: Summary
In a nutshell
Present and future
Annex: Link to the survey
Annex: Survey questions
Annex: Survey questions (Spanish)

Information Systems Security sites

- Secure home pc: This site posts regularly articles on day-to-day topics related to endpoint computer security. It targets computer users that are not IT experts but, at the same time, would like to have a secure computer for their daily activities (email, banking, blogging, sharing, etc.).

Security papers

Practical paper about the 8 critical success actions for Information Security in the SANS Leadership Laboratory.

If you are interested on the presentation regarding the 8 critical success actions for an information security function, please leave a comment on this blog.

Paper on two forensic cases, hidden company files and a USB memory stick (submitted for the SANS GIAC Gold Forensic Analyst Certification).

Paper about the DMZ of a start-up (submitted for the SANS GIAC Gold Firewall Analyst Certification).

Paper on secure application development (submitted for the SANS GIAC Gold Security Essentials Certification).

Article on Blackberry deployment in SANS Advisor.

Paper on critical success factors in information security (co-author).

The 8 Critical Success Actions for Infosec: Presentation

This presentation provides some tips about how to create an information security function. It is based on the paper titled 'Eight Critical Success Actions for Information Security'.


The core of the content of this forum comes from an academic work made in 2006. Recently the author of this work has received the 2007 Student of the Year Business Continuity Industry Award, hosted by CIR (Continuity Insurance & Risk, the UK's leading bi-monthly risk management and insurance journal).

This award would not have been received without the valuable answers provided in the questionnaire by 82 information security and business professionals worldwide. Part of the academic work was the analysis of these answers.

Thanks to all of you!

See some coverage in the news:
- Business Continuity Central Site
- Business Continuity Forum

See also:
- the Business Continuity Awards Site
- the Student of the Year Award Call for Nominations