The 2021 version of the Collective Risk Model (CRM) is a community driven project. It is the result of numerous conversations between cybersecurity professionals over video conferences, dinners, in the hallways of security conferences, and over countless email exchanges. This is the first official and formal release of a simple, practical model that the community can use as a model for managing cybersecurity risks.

Scott Adams, of Dilbert™ fame, warns – never be the creator, always be the criticizer. Creators open themselves up to attack and criticism. It is better, he says, to show your moral and intellectual superiority through criticizing someone else’s work than to create something yourself. With this project, we are violating that principle by organizing those conversations, cocktail napkins diagrams, and email exchanges into a repository for the community.

This effort is a work in progress. We believe that the 2021 version will be soon replaced with a more valuable version, along with future updates and improvements cycle that will follow. The community needs a risk model with straight forward language and a readily accessible roadmap to begin managing cybersecurity risks. We hope this is a starting point in that direction.

  Collective Risk Model - v2021
  Collective Control Catalog - v2023
  Collective Assessment Tool - v2023
  Collective Control Catalog Measures - v2023
  Cybersecurity Standards Scorecard (2022 Edition)