{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T18:38:17Z","timestamp":1761763097000,"version":"build-2065373602"},"reference-count":63,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2021,8,27]],"date-time":"2021-08-27T00:00:00Z","timestamp":1630022400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Horizon 2020","award":["833673"],"award-info":[{"award-number":["833673"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Cyberattacks make the news daily. Systems must be appropriately secured. Cybersecurity risk analyses are more than ever necessary, but\u2026 traveling and gathering in a room to discuss the topic has become difficult due to the COVID, whilst having a cybersecurity expert working isolated with an electronic support tool is clearly not the solution. In this article, we describe and illustrate Ob\u00e9risk, an agile, cross-disciplinary and Obeya-like approach to risk management that equally supports face-to-face or remote risk management brainstorming sessions. The approach has matured for the last three years by using it for training and a wide range of real industrial projects. The overall approach is detailed and illustrated on a naval use case, with extensive feedback from the end-users. We show that Ob\u00e9risk is really time-efficient and effective at managing risks at the early stages of a project, whilst remaining extremely low-cost. As the project grows or when the system is deployed, it may eventually be necessary to shift to a more comprehensive commercial electronic support tool.<\/jats:p>","DOI":"10.3390\/info12090349","type":"journal-article","created":{"date-parts":[[2021,8,27]],"date-time":"2021-08-27T09:53:23Z","timestamp":1630058003000},"page":"349","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Ob\u00e9risk: Cybersecurity Requirements Elicitation through Agile Remote or Face-to-Face Risk Management Brainstorming Sessions"],"prefix":"10.3390","volume":"12","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2123-5370","authenticated-orcid":false,"given":"St\u00e9phane","family":"Paul","sequence":"first","affiliation":[{"name":"Thales Research & Technology, 91767 Palaiseau, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Douraid","family":"Naouar","sequence":"additional","affiliation":[{"name":"Chair of Naval Cyber Defense, Ecole Navale, 29160 Lanv\u00e9oc, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Emmanuel","family":"Gureghian","sequence":"additional","affiliation":[{"name":"Thales Research & Technology, 91767 Palaiseau, France"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2021,8,27]]},"reference":[{"key":"ref_1","unstructured":"Shimel, A., and Miller, M. (2019, January 30). A Brief History of DevSecOps and Where We Go from Here. Proceedings of the RSA Conference, Webcasts."},{"key":"ref_2","unstructured":"Allspaw, J., and Hammond, P. (2009, January 22\u201324). 10+ deploys per day: Dev & ops cooperation at Flickr. Proceedings of the Velocity, Web Performance and Operations Conference, San Jose, CA, USA."},{"key":"ref_3","unstructured":"Delio, M. (2021, February 03). Gates Finally Discovers Security, WIRED. Available online: https:\/\/www.wired.com\/2002\/01\/gates-finally-discovers-security\/."},{"key":"ref_4","unstructured":"Red Hat (2021, February 02). What is DevSecOps? Red Hat, Inc.. Available online: https:\/\/www.redhat.com\/en\/topics\/devops\/what-is-devsecops."},{"key":"ref_5","unstructured":"Cohen, S. (2021, February 02). Automation: One of the Keys to DevSecOps. Synopsys. Available online: https:\/\/www.synopsys.com\/blogs\/software-security\/automation-in-devsecops\/."},{"key":"ref_6","unstructured":"IBM (2021, February 02). DevSecOps. IBM. Available online: https:\/\/www.ibm.com\/cloud\/learn\/devsecops."},{"key":"ref_7","unstructured":"Lietz, S. (2021, February 02). What is DevSecOps? DevSecOps. Available online: https:\/\/www.devsecops.org\/blog\/2015\/2\/15\/what-is-devsecops."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Paul, S., and Varela, P. (2019, January 24). Poster Support for an Obeya-like Risk Management Approach. Proceedings of the 6th International Workshop on Graphical Models for Security (GraMSec), Hoboken, NJ, USA.","DOI":"10.1007\/978-3-030-36537-0_8"},{"key":"ref_9","unstructured":"Agence Nationale de la S\u00e9curit\u00e9 des Syst\u00e8mes d\u2019Information (ANSSI) (2019). EBIOS Risk Manager."},{"key":"ref_10","unstructured":"KPMG (2021, April 01). KPMG 2021 CEO Outlook Pulse Survey\u2014Preparing for a New Reality. KPMG International Limited. Available online: https:\/\/home.kpmg\/xx\/en\/home\/insights\/2021\/03\/ceo-outlook-pulse.html."},{"key":"ref_11","unstructured":"Chapman, C., and Ward, S. (1996). Project Risk Management: Processes, Techniques and Insights, John Wiley."},{"key":"ref_12","unstructured":"Chevalier, A., and Hirsch, G. (1982). Risk Management: For Better Control of Business Risks, FeniXX."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/0263-7863(94)00018-8","article-title":"Leadership and the project-management body of knowledge","volume":"13","author":"Cleland","year":"1995","journal-title":"Int. J. Proj. Manag."},{"key":"ref_14","unstructured":"Beihoff, B., Oster, C., Friedenthal, S., Paredis, C., Kemp, D., Stoewer, H., Nichols, D., and Wade, J. (2021, August 02). A World in Motion\u2013Systems Engineering Vision 2025\u2014INCOSE-SE Leading Indicators Guide. Available online: https:\/\/www.incose.org\/docs\/default-source\/aboutse\/se-vision-2025.pdf."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1109\/MS.2005.129","article-title":"Management challenges to implementing agile processes in traditional development organizations","volume":"22","author":"Boehm","year":"2005","journal-title":"IEEE Softw."},{"key":"ref_16","first-page":"2357","article-title":"The Challenges of Implementing Agile Scrum in Information System\u2019s Project","volume":"10","author":"Arif","year":"2018","journal-title":"J. Adv. Res. Dyn. Control Syst. JARDCS"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Hayata, T., and Han, J. (2011, January 10\u201312). A hybrid model for IT project with Scrum. Proceedings of the IEEE International Conference on Service Operations, Logistics and Informatics, Beijing, China.","DOI":"10.1109\/SOLI.2011.5986572"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Paasivaara, M., Durasiewicz, S., and Lassenius, C. (2008, January 17\u201320). Distributed Agile Development: Using Scrum in a Large Project. Proceedings of the IEEE International Conference on Global Software Engineering, Bangalore, India.","DOI":"10.1109\/ICGSE.2008.38"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3145905","article-title":"Exiting the risk assessment maze: A meta-survey","volume":"51","author":"Gritzalis","year":"2018","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.cose.2015.11.001","article-title":"Taxonomy of information security risk assessment (ISRA)","volume":"57","author":"Cheriet","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"681","DOI":"10.1007\/s10207-017-0382-0","article-title":"A framework for estimating information security risk assessment method completeness","volume":"17","author":"Wangen","year":"2018","journal-title":"Int. J. Inf. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"410","DOI":"10.1108\/IMCS-07-2013-0053","article-title":"Current challenges in information security risk management","volume":"22","author":"Fenz","year":"2014","journal-title":"Inf. Manag. Comput. Secur."},{"key":"ref_23","unstructured":"ISO\/IEC 27005 (2018). Information Technology\u2014Security Techniques\u2014Information Security Risk Management, International Organization for Standardization\/International Electrotechnical Commission."},{"key":"ref_24","unstructured":"IEC 62443-32 (2020). Security for Industrial Automation and Control Systems\u2014Part 3-2: Security Risk Assessment for System Design, International Electrotechnical Commission."},{"key":"ref_25","unstructured":"NIST SP800-30 (2012). Guide for Conducting Risk Assessments, National Institute of Standards and Technology."},{"key":"ref_26","unstructured":"BSI-Standard 200-3 (2017). Risk Analysis Based on IT-Grundschutz, Federal Office for Information Security (BSI)."},{"key":"ref_27","unstructured":"Amutio, M.A., Candau, J., and Ma\u00f1as, J.A. (2014). MAGERIT\u2014Methodology for Information Systems Risk Analysis and Management, Ministry of Finance and Public Administration."},{"key":"ref_28","unstructured":"Tucker, B.A. (2020). Advancing Risk Management Capability Using the OCTAVE FORTE Process, Carnegie Mellon University (CMU)."},{"key":"ref_29","unstructured":"Mozilla (2021, April 17). Rapid Risk Assessment. Mozilla. Available online: https:\/\/infosec.mozilla.org\/guidelines\/risk\/rapid_risk_assessment."},{"key":"ref_30","unstructured":"CLUSIF (2021, February 03). Fondamentals of the MEHARI Method (in French Only). French Information Security Club (CLUSIF). Available online: https:\/\/clusif.fr\/services\/management-des-risques\/les-fondamentaux-de-mehari\/."},{"key":"ref_31","unstructured":"ISO 31000 (2018). Risk Management\u2014Guidelines, International Organization for Standardization."},{"key":"ref_32","unstructured":"ALL4TEC (2020, December 08). Agile Risk Manager Tools Up Your EBIOS RM Analysis. ALL4TEC. Available online: https:\/\/www.all4tec.com\/en\/agile-risk-manager-your-ebios-risk-manager-certified-solution\/."},{"key":"ref_33","unstructured":"Eg\u00e9rie (2021, June 26). Eg\u00e9rie Risk Manager. Available online: https:\/\/egerie-software.com\/en\/egerie-risk-manager\/."},{"key":"ref_34","unstructured":"Risk\u2019n Tic (2021, June 26). Risk\u2019n Tic\u2014Simple Risk Management Solutions. Available online: https:\/\/riskntic.com\/en\/."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"1361","DOI":"10.1109\/COMST.2017.2781126","article-title":"Optimal countermeasures selection against cyber attacks: A comprehensive survey on reaction frameworks","volume":"20","author":"Nespoli","year":"2017","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1002\/pmj.21325","article-title":"Managing Risks in Complex Projects","volume":"44","author":"Thamhain","year":"2013","journal-title":"Proj. Manag. J."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"444","DOI":"10.1016\/j.ijproman.2011.09.003","article-title":"Risk managements\u2019 communicative effects influencing IT project success","volume":"30","author":"Bakker","year":"2012","journal-title":"Int. J. Proj. Manag."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1111\/rmir.12169","article-title":"Cyber risk management: History and future research directions","volume":"24","author":"McShane","year":"2021","journal-title":"Risk Manag. Insur. Rev."},{"key":"ref_39","first-page":"161","article-title":"A fundamental approach to cyber risk analysis","volume":"12","author":"Laube","year":"2019","journal-title":"Variance"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"722","DOI":"10.1016\/j.ijproman.2006.09.010","article-title":"Practitioner development: From trained technicians to reflective practitioners","volume":"24","author":"Crawford","year":"2006","journal-title":"Int. J. Proj. Manag."},{"key":"ref_41","first-page":"321","article-title":"Impact of risk management on project performance: The importance of soft skills","volume":"53","author":"Junior","year":"2014","journal-title":"Int. J. Prod. Res."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"686","DOI":"10.1016\/j.ijproman.2012.03.007","article-title":"Project management scholarship: Relevance, impact and five integrative challenges for business and management schools","volume":"30","author":"Maylor","year":"2012","journal-title":"Int. J. Proj. Manag."},{"key":"ref_43","first-page":"101","article-title":"Risk management, project success, and technological uncertainty","volume":"32","author":"Raz","year":"2002","journal-title":"R D Manag."},{"key":"ref_44","unstructured":"Agence Nationale de la S\u00e9curit\u00e9 des Syst\u00e8mes d\u2019Information (ANSSI) (2018). Digital Agility & Security: Method and Tools for Use by Project Teams (in French: Agilit\u00e9 & S\u00e9curit\u00e9 Num\u00e9riques: M\u00e9thode et Outils \u00e0 l\u2019usage des Equipes Projet)."},{"key":"ref_45","unstructured":"iObeya (2021, March 29). Unleash the Power of Visual Management. Available online: https:\/\/www.iobeya.com\/."},{"key":"ref_46","unstructured":"MURAL (2021, March 29). Put Imagination to Work. Tactivos, Inc. dba MURAL. Available online: https:\/\/www.mural.co\/."},{"key":"ref_47","unstructured":"ESME Sudria (2021, April 01). International Graduate Program in Cybersecurity. Available online: https:\/\/www.esme.fr\/en\/studies-engineering-school\/international-program-cybersecurity."},{"key":"ref_48","unstructured":"FORESIGHT Project (2021, June 09). Advanced Cyber Security Simulation Platform for Preparedness Training in Aviation, Power Grid and Naval Environments. H2020 FORESIGHT Project. Available online: https:\/\/foresight-h2020.eu\/."},{"key":"ref_49","unstructured":"Club EBIOS (2021, March 16). The Risk Management Forum. Club EBIOS. Available online: https:\/\/club-ebios.org\/site\/en\/welcome\/."},{"key":"ref_50","unstructured":"Paul, S. (2021, March 12). Ob\u00e9risk: A Tooled-Up Obeya-Like Approach to Risk Management. Club EBIOS, 01. Available online: https:\/\/club-ebios.org\/site\/en\/obeya-like-risk-management-approach\/."},{"key":"ref_51","unstructured":"Paul, S. (2021, March 16). Ob\u00e9risk: A Poster Support for an Obeya-Like Risk Management Approach. Research Gate. Available online: https:\/\/www.researchgate.net\/publication\/336686823_Oberisk_a_poster_support_for_an_Obeya-like_risk_management_approach."},{"key":"ref_52","unstructured":"Chair of the Naval Cyber-Defence (2021, June 09). Cybersecurity at the Service of the Maritime World (in French: La cybers\u00e9curit\u00e9 au Service du Monde Maritime). Available online: https:\/\/www.chaire-cyber-navale.fr\/."},{"key":"ref_53","unstructured":"Annex 3 of FORESIGHT D5.3 (2021, June 09). Models for Risk Analysis and Assessment (Naval Use-Case). Available online: https:\/\/club-ebios.org\/site\/wp-content\/uploads\/productions\/ClubEBIOS-Oberisk-Exemple-2021-01-07.pdf."},{"key":"ref_54","unstructured":"European Parliament and European Council (2021, March 31). Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation). EUR-Lex. Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX%3A32016R0679."},{"key":"ref_55","unstructured":"Bruns, K. (2021, March 31). \u201cNegation Symbol,\u201d Wumbo. Available online: https:\/\/wumbo.net\/symbol\/negation\/."},{"key":"ref_56","unstructured":"CESG IA BIL (2021, August 25). Extract from HMG IA Standard No.1\u2014Business Impact Level Tables. Available online: https:\/\/www.shreddingmachines.co.uk\/business-impact-tables.pdf."},{"key":"ref_57","unstructured":"Agence Nationale de la S\u00e9curit\u00e9 des Syst\u00e8mes d\u2019Information (ANSSI) (2021). EBIOS Risk Manager\u2014Going Further."},{"key":"ref_58","unstructured":"Lockheed Martin (2019, March 06). The Cyber Kill Chain. Available online: https:\/\/www.lockheedmartin.com\/en-us\/capabilities\/cyber\/cyber-kill-chain.html."},{"key":"ref_59","unstructured":"Object Management Group (OMG) (2021, April 07). About the Software & Systems Process Engineering Metamodel Specification\u2014Version 2.0. Available online: https:\/\/www.omg.org\/spec\/SPEM\/About-SPEM\/#docs-normative-supporting."},{"key":"ref_60","unstructured":"CESG (2012). HMG IA Standard Numbers 1 & 2, Information Risk Management."},{"key":"ref_61","unstructured":"PRAETORIAN (2021, July 28). Protection of Critical Infrastructures from Advanced Combined Cyber and Physical Threats. European Commission. Available online: https:\/\/praetorian-h2020.eu\/."},{"key":"ref_62","unstructured":"Agence Nationale de la S\u00e9curit\u00e9 des Syst\u00e8mes d\u2019Information (ANSSI) (2010). Expression of Needs and Identification of Security Objectives (EBIOS)\u2014Risk Management Method."},{"key":"ref_63","unstructured":"FAIR Institute (2021, July 28). What is FAIR?. 2021., Available online: https:\/\/www.fairinstitute.org\/what-is-fair."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/12\/9\/349\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T06:53:52Z","timestamp":1760165632000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/12\/9\/349"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,27]]},"references-count":63,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2021,9]]}},"alternative-id":["info12090349"],"URL":"https:\/\/doi.org\/10.3390\/info12090349","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2021,8,27]]}}}