Poster Support for an Obeya-Like Risk Management Approach

  • Stéphane PaulEmail author
  • Paul VarelaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11720)


Lean management is trendy. This trend is also reaching risk management. It has become very concrete in France following the EBIOS-Risk Manager method publication by the French National Agency for cybersecurity (ANSSI) in October 2018. However, if the new method fosters an agile approach of risk management, it does not provide the tools to support the mandated brainstorming workshops. In this paper we propose a set of A0 posters (and A5 cheat-sheets) to support the efficient and user-friendly organisation of the EBIOS-Risk Manager brain-storming sessions. The workshop participants are given sticky notes and felt pens to actively contribute to the data collection work. A facilitator helps organise the emergence of contributions. This approach is inspired from the Japanese Obeya form of project management, with the goal of making risk management simple, dynamic and attractive, or in one word, fun!


Risk management Agile Collaborative Workshops Brainstorming Posters Sticky notes (Post-Its®) EBIOS 



This research was partially funded by the French DGA CoSS-2 RAPID project. We wish to thank Sébastien Lhuillier and Thomas Baudillon from Thales SIX GTS FRANCE for their lead in the SCADA IoT case-study and Christophe Alix and Hélène Bachatène for their lead in the VLLAM/UTM case-study. Many thanks also to Fabien Caparros of ANSSI for his review of the poster templates, and to all the Thales engineers who made constructive comments on this work.

Poster Support for an Obeya-like Risk Management Approach by Stéphane Paul of Thales Research & Technology (Critical Embedded Systems Laboratory) will be made available in the form of PowerPoint slides under the CC BY-NC-SA (i.e. Creative Commons Attribution + Non Commercial + Share Alike) licence.


  1. 1.
    ANSSI. EBIOS Risk Manager, version 1.0 (in French). Agence Nationale de la Sécurité des Systèmes d’Information, Paris (2018)Google Scholar
  2. 2.
    ISO/IEC 27005. Information technology—Security techniques—Information security risk management. International Organization for Standardization/International Electrotechnical Commission, Geneva (2018)Google Scholar
  3. 3.
    NIST SP800-64r2. Security Considerations in the System Development Life Cycle. National Institute of Standards and Technology, Gaithersburg (2008)Google Scholar
  4. 4.
    47-DDQ-GRP-EN. Cybersecurity Engineering Guide (commercial-in-confidence). Thales Chorus 2.0. Accessed 31 Jan 2018Google Scholar
  5. 5.
    CESG. HMG IA Standard Numbers 1 & 2, Information Risk Management. National Technical Authority for Information Assurance, Cheltenham, Gloucestershire, UK (2012)Google Scholar
  6. 6.
    CESG. HMG IA Standard Numbers 1 & 2 – Supplement, Technical Risk Assessment and Risk Treatment. National Technical Authority for Information Assurance, Cheltenham, Gloucestershire, UK (2012)Google Scholar
  7. 7.
    Lockheed Martin. The Cyber Kill Chain. Accessed 6 March 2019
  8. 8.
    OMG. Software & Systems Process Engineering Metamodel (SPEM). Object Management Group (2008)Google Scholar
  9. 9.
    ANSSI. EBIOS Risk Manager Accreditation: Tools to support Cybersecurity Risk Management (in French only) (2019). Accessed 16 May 2019
  10. 10.
    RiskOversee. Tool-up your EBIOS analysis. ALL4TEC (2019). Accessed 16 May 2019
  11. 11.
    KapIt. Digital Visual Management for Lean & Agile companies. Accessed 22 May 2019
  12. 12.
    Framasoft. Framemo. Accessed 22 May 2019
  13. 13.
    IEC 62443-3-3. Industrial communication networks - Network and system security - Part 3–3: System security requirements and security levels. International Electrotechnical Commission (2013)Google Scholar
  14. 14.
    IEC 62443. Industrial communication networks - Network and system security. Industrial Automation and Control System Security Committee of the International Society for Automation (ISA)Google Scholar
  15. 15.
    NIST SP 800-53. Security and Privacy Controls for Federal Information Systems Federal Information Systems, Special Publication 800-53, Revision 4. National Institute of Standards and Technology, Gaithersburg (2013)Google Scholar
  16. 16.
    DMD-TC. WAEA Specification 0395, Content Delivery for In-Flight Entertainment. Digital Media Distribution Technical Committee of the World Airline Entertainment Association Technology Committee (WAEA-TC), Virginia, USA (2001)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Thales Research and TechnologyPalaiseauFrance
  2. 2.Thales Secure Communications and Information SystemsGennevilliersFrance

Personalised recommendations