Socio-technical risk assessment
The socio-technical risk assessment builds on the initial risk assessment. Socio-technical risk assessments go beyond simply identifying weaknesses in systems.
They consider risks in more detail such as the human element, including the potential for human error, social engineering, and the impact of organisational culture on security.
As with the initial assessment, choose a framework that works for your capability. Refer to guidance on the initial cyber risk assessment for more details.
They consider risks in more detail such as the human element, including the potential for human error, social engineering, and the impact of organisational culture on security.
As with the initial assessment, choose a framework that works for your capability. Refer to guidance on the initial cyber risk assessment for more details.
Benefits
Benefits of threat modelling include:
- early identification of risks
- informing the development of a capability through identified risks
- helping prioritise security activities and guide further activities
- provide context for a threat modelling exercise
- informed decision making around risk mitigation
Outcomes
The socio-technical risk assessment helps to inform decision-making, including prioritising controls and directing investment.
Responsibility
Who is responsible for socio-technical risk assessments:
- delivery team lead
- project management office (PMO)
When to complete a socio-technical risk assessment
Capabilities should carry out a socio-technical risk assessment:
- at pre-concept or concept stage
- in response to capability design and threat changes