Handbook
Track updates
SA HB 167:2025
[Current]Managing security related risks
SA HB 167:2025 provides guidance to executives, managers, practitioners and other decision-makers on approaches to managing security-related risk
Published: 26/09/2025
Pages: 161
Table of contents
Cited references
Content history
Table of contents
Header
About this publication
Preface
Introduction
1 Scope and general
1.1 Scope
1.2 Referenced documents
1.3 Terms and definitions
2 Exploring the broad concepts of security-related risk
2.1 What is security?
2.2 Security-related risk
2.2.1 Overview
2.2.2 Security-related risk as a classification term
3 Security-related risk management
3.1 Scope
3.2 Security-related risk management within a broader security system
3.3 Security architecture
3.4 The importance of culture
3.4.1 Organizational culture
3.4.2 Culture and change
3.5 Security-related risk management
3.5.1 Purpose
3.5.2 In the broader risk context
3.5.3 Within the organizational framework
4 A framework for managing security-related risk
4.1 Organizational framework for managing risk
4.2 Principles
4.2.1 Overview
4.2.2 Principle 1 — Value creation and protection
4.2.3 Principle 2 — Structured and comprehensive
4.2.4 Principle 3 — Customized and aligned
4.2.5 Principle 4 — Dynamic and adaptive
4.2.6 Principle 5 — Inclusive and participative
4.2.7 Principle 6 — Integrated and embodied
4.2.8 Principle 7 — Data and information seeking
4.2.9 Principle 8 — Human and cultural factors
4.2.10 Principle 9 — Continuous improvement
4.3 Framework mechanisms
4.3.1 General
4.3.2 Policies and procedures
4.3.3 Functional capability
4.3.4 Relationships
4.3.5 Analytical capability
4.3.5.1 Purpose
4.3.5.2 Data and information management
4.3.5.3 Processes, methods and tools
4.3.5.4 Lessons learned
4.4 Framework management process
4.4.1 Overview
4.4.2 Leadership and commitment
4.4.3 Integration
4.4.4 Design
4.4.4.1 General
4.4.4.2 Roles, responsibilities and accountabilities
4.4.4.3 Allocation of other resources
4.4.5 Communication and consultation
4.4.6 Implementation
4.4.6.1 Overview
4.4.6.2 Implementing the security-related risk management process
4.4.6.3 Operationalization
4.4.6.4 Evaluation
4.4.6.5 Realignment and improvement
5 Risk management process
5.1 General
5.2 Security-related risk management process
5.2.1 Overview
5.2.2 Communication and consultation
5.2.3 Risk assessment
5.2.3.1 Exploring the context
5.2.3.2 Identification
5.2.3.3 Analysis
5.2.3.4 Evaluation
5.2.3.5 Treatment
5.2.3.6 Monitoring and review
6 Communication and consultation
6.1 General
6.2 Building effective communication and consultation
6.2.1 General
6.2.2 Communication and consultation strategy
7 Exploring and establishing the context
7.1 Purpose and scope
7.2 Defining the problem
7.3 Defining the purpose
7.4 Exploring the context
7.5 Risk criteria
7.5.1 Defining risk criteria
7.5.2 Development of risk criteria
7.5.3 Developing the risk appetite and risk tolerance criteria
7.5.3.1 The concepts
7.5.3.2 Context
7.5.3.3 Nature of the risk
7.5.3.4 The nature of uncertainty
7.5.3.5 Capabilities of the organization or individual
7.5.3.6 Decisions made about the nature of the risk
7.5.3.7 Risk treatment
8 Risk assessment
8.1 Overview
8.2 The origins of uncertainty
8.2.1 General
8.2.2 Uncertainty
8.2.3 Volatility and turbulence
8.2.4 Complexity
8.2.5 Ambiguity
8.2.6 Novelty
8.3 Gathering, collating and analyzing data and information
8.3.1 Sources of data and information
8.3.2 Credibility of information
8.4 Integrating with the security intelligence cycle
8.5 Improving the use of security intelligence
8.5.1 Overview of sources
8.5.2 Human source intelligence (HUMINT)
8.5.3 Open-source intelligence (OSINT)
8.5.4 Tools and techniques
8.5.5 Other types of intelligence
9 Risk assessment techniques
9.1 General
9.2 Using and combining identification and analytical techniques
9.3 Applying general assessment techniques
9.3.1 Brainstorming
9.3.2 Interviews
9.3.3 Delphi technique
9.3.4 Scenario analysis
9.3.5 Crowdsourcing
9.3.6 Questionnaire
9.3.7 Red teaming
9.3.8 Design thinking
9.3.9 Argument mapping
9.3.10 Event tree analysis
9.3.11 SWIFT analysis
9.3.12 Failure mode effects analysis
9.3.13 Root cause analysis
9.3.14 Common causal analysis techniques
9.3.14.1 Affinity
9.3.14.2 Fishbone (Ishikawa)
9.3.14.3 Cause and effect
9.3.14.4 Bow tie
9.3.14.5 Monte Carlo
9.3.14.6 Target susceptibility
9.3.14.7 CARVER
9.3.14.8 Critical path
9.4 Criticality analysis
9.4.1 General
9.4.2 Determining the scope of the assessment
9.4.2.1 Confirm top obligations and objectives
9.4.2.2 Identify key delivery mechanisms
9.4.2.3 Determining the dependency on underpinning elements
9.4.2.4 Determining the utility of other arrangements
9.4.2.5 Determining the criticality of the underpinning elements
9.4.3 Dealing with combinations of criticality criteria
9.5 The threat assessment
9.5.1 General
9.5.2 Threat sources
9.5.2.1 The origins of threats
9.5.2.2 Geographic origins
9.5.2.3 Causal, influencing and contributing factors
9.5.3 Threat type
9.5.3.1 Intent and capability
9.5.3.2 Threat actor intent
9.5.3.3 Threat actor capability
9.5.4 Threat vectors
9.5.5 Threat targeting
9.5.6 Threat domain
9.5.6.1 Considerations
9.5.6.2 Threat immediacy, recency and frequency
9.5.7 Defining the threat
9.5.8 Threat of intent — Capability
9.5.9 Threat assessment tools and techniques
9.5.9.1 Overview
9.5.9.2 Threat tree mapping
9.5.9.3 Threat impact
9.5.10 Defining level of threat
9.5.11 Example approach to traditional threat assessment
9.6 Vulnerability analysis
9.6.1 The nature of vulnerability
9.6.2 Control considerations
9.6.3 Layered security — defence in depth
9.6.4 The vulnerability analysis process
9.6.5 A generic approach
9.6.6 Neutralization analysis
9.6.7 Vulnerability criteria
10 Risk identification
10.1 Purpose
10.2 Asking questions about risk
10.3 Selecting the approach for identifying risk
10.4 Describing and categorizing risk
11 Risk analysis
11.1 Overview
11.2 The risk analysis process
11.2.1 Risk characteristics
11.2.2 A cautionary note
11.2.3 Accounting for controls
11.2.4 Risk analysis outputs
11.2.5 Determining consequences
11.2.5.1 Techniques and tools
11.2.5.2 Consequence criteria
11.2.6 Determining likelihood
11.2.7 Other criteria
11.2.8 Making judgements about risk
11.2.8.1 Determining the level of knowledge
11.2.8.2 Addressing complexity
11.2.9 Determining a level of risk
11.2.9.1 Cautionary note
11.2.9.2 Constructing a risk rating schema
11.2.9.3 Using range values
11.2.10 Special considerations in societal risk
11.2.11 Combining different risk criteria
11.2.12 Estimating a level of risk
12 Risk evaluation and treatment
12.1 An integrated cycle
12.2 Risk evaluation
12.2.1 Risk assessment options
12.2.2 Development and selection of options
12.2.3 Testing assumptions
12.3 Additional evaluation techniques
12.3.1 Tools of analysis
12.3.2 Multi-criteria decision analysis
12.3.3 Conducting a cost-benefit analysis
12.4 Risk treatment
12.4.1 Developing a treatment plan
12.4.2 Implementing and monitoring treatments
13 Monitoring and review
13.1 General
13.2 Monitoring and surveillance
13.3 Reviews
13.4 Lessons learned
13.4.1 General
13.4.2 Lessons management — A continuing traditional approach?
13.4.3 Understanding how adults learn
13.4.4 Lessons learned leadership
13.4.5 Framework for lessons learned
13.4.6 Creating and operationalizing lessons learned
13.4.6.1 General
13.4.6.2 Set-up
13.4.6.3 Facilitation
13.4.6.4 Lessons learned
13.5 Reporting
Appendix A
Appendix B
B.1 Communication barriers and constraints
B.2 Participation
Appendix C
Bibliography
Cited references in this standard
Content history
[Superseded]
One-time Purchase
Access via web browser on any device
One-time purchase
Single publication
Offline access via PDF^
$230.66 AUD
Inclusive of GSTFormat *
Web Reader
Licenses *
1 License (for yourself - not shareable)
Total$230.66 AUD
IMPORTANT