Tigger team -- a novel methodology to manage business risk by Ian McKinnon Abstract: Security is hard. Security is expensive. Security negatively impacts business function. All of these are bad, but far worse is the difficulty of measuring the effectiveness of security. IT security over the last decade has become increasingly visible and important to a broad range of businesses. At the beginning of this period the response to IT risk was predominantly focused on technical prevention. Gradually this has evolved into a more business-oriented approach to risk management. This change has come about largely because of the perception that the technical approach to security provided too narrow a view of risk, failed to engage effectively with business and was failing to deliver benefit. This paper explores a number of the fundamental difficulties that hamper the delivery of effective IT security. It also examines some of the difficulties created because of the conflict between the goals of security and those of business. This paper describes a methodology that attempts to minimise the impact of a number of these difficulties. The primary goal of this methodology is to provide business with clear justification to support IT security activities and to demonstrate an adequate return on investment. The methodology proposes the development of offensive and defensive capabilities within an organisation, in order to identify and manage both contextualised business risk and generic technical risk. The defensive capabilities act as both a control and a deterrent, but most importantly they provide concrete evidence of loss, which can be used to justify future activities. The offensive capabilities allow the business to refine an understanding of their specific risk, rather than generic risk. In addition they also allow realistic testing of the defensive capabilities through simulated attacks. The methodology is cyclic and as it progresses the understanding and management of risks specific to the business should evolve. This will allow security to address increasingly remote and esoteric risks, until it is no longer possible to economically justify deploying mitigation. When this stage is reached the risks will be sufficiently small to fall within the business's risk appetite. The monitoring process should identify exploitation of these risks but no controls would be deployed because they would be uneconomic.