cqrenet/antifragile
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
763da003d36dd9387e35758dbb93833da4cc30ae
antifragile/antifragile-consulting/assessment-templates/antifragile-risk-register.md
Tomas Kracmar 763da003d3 Initial commit: antifragile cybersecurity consulting blueprint 
Complete repository of frameworks, playbooks, and assessment resources
for cybersecurity consultations focused on antifragile enterprise design.

Includes:
- Core philosophy and manifest (5 pillars)
- 12 modular engagement packages
- AI sovereignty and operations frameworks
- Zero-budget vulnerability discovery and hardening playbooks
- M365 E3 hardening and antifragile project plans
- Osquery sovereign discovery platform blueprint
- Perimeter scanning capability guide
- AI-assisted TVM blueprint for AI-powered adversaries
- Vertical specializations: banking, telco, power/utilities
- CIS Controls v8 and NIST CSF 2.0 mappings
- Risk registers and assessment templates
- C-suite conversation guide and business case templates
2026-05-09 16:53:22 +02:00

205 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Antifragile Risk Register Template
> *"Traditional risk registers count vulnerabilities. Antifragile risk registers map the kill chain, preserve optionality, and engineer convexity."*
This template replaces conventional risk management with an antifragile approach. It is designed to identify not just what can go wrong, but **how the organization benefits from addressing it**—and what structural improvement emerges from each risk realization.
---
## The Antifragile Risk Dimensions
Traditional risk registers track Probability and Impact. We add five antifragile dimensions:
| Dimension | Traditional Equivalent | Antifragile Question |
|-----------|----------------------|---------------------|
| **Kill Chain Position** | Asset location | "If this risk materializes, what is the shortest path to organizational failure?" |
| **Optionality Impact** | N/A | "Does this risk, if unaddressed, remove our ability to change direction?" |
| **Convexity** | Risk score | "Is the payoff asymmetric—small investment to prevent, catastrophic cost if realized?" |
| **Stress-to-Signal** | Lessons learned | "If this risk materializes, what structural improvement must result?" |
| **T0 Classification** | Criticality | "Is this existential (T0), major (T1), significant (T2), or standard (T3)?" |
---
## Risk Register Template
### Metadata
```
Organization: ________________________________
Assessment Date: ________________________________
Assessor: ________________________________
Review Cadence: Monthly / Quarterly
Next Review Date: ________________________________
```
### Risk Entries
| Field | Description | Example |
|-------|-------------|---------|
| **Risk ID** | Unique identifier (e.g., AF-2024-001) | AF-2024-001 |
| **Risk Name** | Short, specific description | Domain Admin Account Compromise |
| **Description** | Detailed scenario | A standing Domain Admin account is compromised via phishing, allowing adversary to create persistent access and exfiltrate data |
| **T0 / T1 / T2 / T3** | Tier classification | T0 |
| **Kill Chain Position** | Shortest path to failure | Direct: compromised admin → full domain takeover → all systems compromised |
| **Probability** | Likelihood (1-5) | 4 (High: admin accounts are high-value phishing targets) |
| **Impact** | Consequence (1-5) | 5 (Existential: total organizational compromise) |
| **Traditional Risk Score** | P × I | 20 (Critical) |
| **Optionality Impact** | Does this remove strategic options? | High: if AD is compromised, migration to cloud-native identity becomes impossible until recovery |
| **Convexity** | Asymmetric payoff? | Extreme: MFA deployment costs €0 (E3); domain compromise costs €500K+ |
| **Current Control** | What exists today? | Password policy; no MFA on admin accounts; no PIM |
| **Antifragile Move** | What structural change is required? | 1. Remove standing Domain Admin assignments 2. Deploy PIM (or manual JIT process) 3. Enforce MFA with hardware tokens 4. Deploy PAWs for all admin activity |
| **Owner** | Who is accountable? | CISO |
| **Target Date** | When must this be addressed? | 14 days |
| **Status** | Open / In Progress / Closed / Accepted / Transferred | Open |
| **Stress-to-Signal Mandate** | If this risk materializes, what must change? | Post-incident: all admin activity permanently moved to PAWs; quarterly access reviews institutionalized; admin accounts reduced to minimum viable count |
| **Verification Method** | How do we prove the fix works? | Monthly PIM audit; quarterly red team targeting admin credentials; Secure Score admin control metric |
---
## Risk Categories (Antifragile Taxonomy)
### Category 1: Sovereignty Risks
Risks related to loss of control over data, intelligence, or infrastructure.
| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Proprietary data trains competitor AI models | Data → cloud AI → model improvement → competitive erosion | Yes | Deploy local or Azure OpenAI with data protection guarantees; classify AI data flows |
| Cloud vendor changes terms or pricing | Terms change → operational disruption → forced migration under duress | Yes | Document exit architecture; maintain data portability; dual-vendor readiness |
| Vendor discontinues critical service | Service ends → workflow collapse → emergency procurement | T1 | Maintain abstraction layers; escrow agreements; 90-day exit plans |
### Category 2: Identity Risks
Risks related to authentication, authorization, and account lifecycle.
| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Standing privileged account compromise | Phish → admin account → lateral movement → domain takeover | Yes | Eliminate standing privileges; deploy PIM or manual JIT; PAWs |
| Orphaned account resurrection | Former employee account not disabled → credential sale → unauthorized access | T1 | Automated orphan detection; quarterly access reviews; offboarding workflow tied to HR |
| MFA bypass via legacy authentication | Legacy protocol → password spray → account access without MFA | T1 | Block legacy auth tenant-wide; monitor for legacy auth attempts |
### Category 3: Resilience Risks
Risks related to the organization's ability to survive and recover from failure.
| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Backups unrecoverable | Ransomware → backup failure → data loss → business termination | Yes | Quarterly recovery drills; immutable backups; tested runbooks |
| Single point of failure in critical system | Component failure → cascade → service outage | T1 | Chaos engineering; redundancy; graceful degradation design |
| Untested disaster recovery plan | Incident → DR plan fails → extended outage → regulatory fine | T1 | Quarterly DR drills; documented and practiced runbooks; automated failover where possible |
### Category 4: Organizational Risks
Risks related to structure, culture, and process.
| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Security team as gatekeeper, not enabler | Security blocks releases → development bypasses controls → shadow IT proliferation | T1 | Embed security in teams; shared metrics; automated security gates in CI/CD |
| Knowledge concentrated in single individual | Key person departure → operational paralysis → recovery delay | T1 | Cross-training; runbook documentation; bus factor > 1 for all critical functions |
| Incident findings not converted to structure | Incident occurs → post-mortem written → no changes made → repeat incident | T1 | Blameless post-mortems with structural mandates; mean-time-to-structural-fix metric |
### Category 5: AI-Specific Risks
Risks introduced by artificial intelligence adoption.
| Risk | Kill Chain | T0? | Antifragile Move |
|------|-----------|-----|-----------------|
| Prompt injection on business-critical AI workflow | Malicious input → AI generates harmful output → business decision based on bad data | T1 | Input validation; output filtering; human-in-the-loop for critical decisions |
| AI model poisoning via training data | Adversarial training data → model behaviour change → security control failure | Yes | Data provenance tracking; training data validation; model integrity monitoring |
| Shadow AI usage leaks crown jewels | Employee uses public AI → proprietary data exfiltrated → competitive disadvantage | Yes | Sanctioned AI alternative (Azure OpenAI bridge); DLP monitoring; user education |
---
## The Kill Chain Risk Register
For the highest-priority risks, map the full kill chain:
```
RISK ID: ________________
RISK NAME: ________________
KILL CHAIN ANALYSIS:
Step 1 (Initial Access): ________________________________________________
Step 2 (Persistence): ________________________________________________
Step 3 (Privilege Escalation): ________________________________________________
Step 4 (Lateral Movement): ________________________________________________
Step 5 (Impact): ________________________________________________
SHORTEST PATH TO FAILURE: _____ steps
CRITICAL NODE (break the chain here): ___________________________________
ANTIFRAGILE MOVE AT CRITICAL NODE: _____________________________________
VERIFICATION: __________________________________________________________
```
---
## Scoring and Prioritization
### Traditional Score
```
Risk Score = Probability (1-5) × Impact (1-5)
```
| Score | Priority |
|-------|----------|
| 20-25 | P0 — Address within 14 days |
| 15-19 | P1 — Address within 30 days |
| 10-14 | P2 — Address within 90 days |
| 5-9 | P3 — Address within 180 days |
| 1-4 | P4 — Monitor and schedule |
### Antifragile Score (Supplemental)
```
Antifragile Priority = Traditional Score + Optionality Impact (0-5) + Convexity (0-5)
```
Risks that remove optionality or have extreme convexity receive elevated priority even if traditional probability is moderate.
| Antifragile Score | Interpretation |
|-------------------|----------------|
| 30+ | Existential + optionality-destroying. Address immediately. |
| 25-29 | High risk with structural implications. Address within 30 days. |
| 20-24 | Significant risk. Address within standard timeline. |
| < 20 | Manage through existing controls. |
---
## Review and Governance
### Monthly Tactical Review
- Open risks: status, blockers, escalation needs
- Closed risks: verification that controls are working
- New risks: emerging from incidents, changes, or threat intelligence
### Quarterly Strategic Review
- Risk trend: Are we reducing existential risks faster than new ones emerge?
- Kill chain coverage: Are there unprotected paths we have not mapped?
- Optionality audit: Have any changes reduced our strategic flexibility?
- Stress-to-signal conversion: How many incidents produced structural improvements?
### Annual Board Review
- Risk register summary: T0 risks, open vs. closed, trend
- Kill chain assurance: Independent validation of critical node protection
- Antifragile maturity: Mean time to structural fix, chaos experiment results, recovery drill outcomes
---
## Integration With Other Documents
| Document | Integration |
|----------|-------------|
| [T0 Asset Framework](../core/t0-asset-framework.md) | T0 classification determines which risks are existential |
| [Rapid Modernisation Plan](../playbooks/rapid-modernisation-plan.md) | Phase priorities map directly to P0/P1/P2 risk closure |
| [C-Suite Conversation Guide](../core/c-suite-conversation-guide.md) | Risk register produces the "cost of inaction" narrative |
| [Business Case Template](../playbooks/business-case-template.md) | Risk scores convert to expected financial loss |
---
*For the M365-specific risk register, see [M365 Project Risk Register](m365-project-risk-register.md).*
Reference in New Issue View Git Blame Copy Permalink