ABSTRACT
An essential part of security plans should be to develop a register of cyber risks. Cyber risks are no different from other risks. Identifying the relative importance of each risk and then agreeing appropriate mitigating measures is a fundamental part of cyber security. However, identifying how potential problems can occur is vital if an organisation is to create plans for managing cyber risks. Because of the rapidly moving nature of digital technology, unknown risks and extreme unexpected events are an ever-present, and increasing, danger. Managing risks that don't know about is difficult but strategies for doing this are emerging. Crisis assumption assuming that critical incidents will happen regularly and therefore acting to protect critical infrastructure and build in buffers. For example assuming that someone will break in to the network with intent to steal and therefore planning to reduce the impact by encrypting data, creating internal firewalls, providing fake data 'baits'.
