Cybersecurity risks analysis

Risk analysis

Knowing your own information system is an important prerequisite for securing it. If it includes equipment omitted from inventories, it may quickly become obsolete, making it a target of choice for an attacker.

This is why it is essential to have a precise knowledge of your entity's IT installation. For this, it is necessary to build a detailed cartography of the information system.

Risk analysis is a preliminary step in securing your information system, and makes it possible to evaluate the eventualities and plausible consequences of multiple risks, before deciding on the actions to be taken and their scheduling. This allows to reduce these risks to an acceptable level. Each risk is identified, quantified, qualified and prioritized according to the criteria of its evaluation and its impact on the company.

A short-term, medium-term, and long-term strategy will facilitate the prioritization of the subsequent works.


Tools used

Different methods exist for the analysis of risks related to information security; we refer to the EBIOS method from ANSSI, as well as ISO 27005.

ISO 27005

ISO 27005 defines a framework and risk management requirements for the implementation of an information security management system. It is part of a logic of continuous improvement PDCA cycle (Plan, Do, Check, Act). Risk is defined as the effect of uncertainty on the achievement of objectives.

The approach proposed by the standard is as follows:

  1. Context setting and defining risk acceptance criteria.
  2. Risk assessment: identification of assets, threats, existing security measures, vulnerabilities and their consequences.
  3. Treatment of risk by accepting, mitigating, avoiding and transferring it.

This process results in residual risks that may or may not be accepted. It is part of an ongoing communication with stakeholders and periodic monitoring and review of risks.


The EBIOS method is maintained by the French National Agency for the Security of Information Systems (ANSSI). It was reviewed in 2018 and is now titled EBIOS Risk Manager.

The EBIOS Risk Manager method adopts a risk management approach that starts from the highest level (major missions of the object under study) to progressively focus on the business and technical elements, studying the possible paths of attack. It aims to achieve a synthesis between compliance and scenarios by repositioning these two complementary approaches where they add the most value.

According to EBIOS Risk Manager, scenario-based risk assessment therefore focuses on intentional and targeted threats. It fully positions digital security at the level of the strategic and operational stakes of organisations. It thus provides a real framework for digital risk management. The method is modular and adapts to the context of organizations.

A risk arises from a strategic scenario exploited by a source of risk aiming at an objective and generating an event, composed of one or more paths of attack involving several elementary actions forming an operational scenario, whether or not using stakeholders as a vector of attack.

The method is based on five workshops, each with a purpose.

  1. Framing and safety base, based on basic safety principles and the regulatory and normative framework.
  2. Identification of sources of risk, i.e. an element, a person, a group of persons or an organisation likely to generate a risk, and characterised by its motivation, resources, skills and operating methods.
  3. Definition of strategic scenarios, which are paths of attack from a source of risk, through the ecosystem and the business values of the object under study, to a target objective.
  4. Definition of operational scenarios, defined as sequences of elementary actions carried out on the support goods of the object under study or its ecosystem.
  5. Identification of appropriate security measures in a continuous security improvement plan.

For more information, you can see the description of the EBIOS Risk Manager method on the ANSSI's website.

Other pages that might interest you :

Organizational IT security audit

We perform organizational audits to ensure that security measures are in place.

Security training

We teach IT security to your standard users and your technical staff.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.