EBIOS Risk Manager – The Method
The National Cybersecurity Agency of France (ANSSI) and Club EBIOS have collaborated on a developing and publishing the EBIOS Risk Manager (EBIOS RM) method for identifying, assessing, and managing digital risks. This toolbox identifies solutions in order to mitigate risks and can be used by both public and private organisations – regardless of size or sector they operate in.
Concretely, what can EBIOS RM be used for?
- Strengthening the digital risk management process within a company
- Evaluating and treating risks related to a digital project (especially when it comes to security accreditation)
- Determining the security level required for a product or service based on its use and potential risk factors
The approach
The EBIOS RM method uses an iterative approach (symbolised by the ‘digital risk management pyramid' - see below) which is structured into 5 workshops:
- Workshop 1: Scope and security baseline
- Workshop 2: Risk Origins
- Workshop 3: Strategic scenarios
- Workshop 4: Operational scenarios
- Workshop 5: Risk treatment
The guide breaks down the objectives, intended participants, outputs, steps and procedure for each workshop. It also provides several concrete examples to allow for easy appropriation of the method. The EBIOS RM toolbox can be adapted to various situations at hand or target use. These workshops do not need to be taken in chronological order – meaning that one may follow workshop 3 without needing to go through workshop 1 and 2.
In addition to the guide, ANSSI have developed pedagogical support tools such as ‘method sheets’ to help users conduct each workshop.