top of page
  • Julian Talbot

Mental Models For Security Risk Management

In security risk management, the ability to adapt and respond to ever-evolving threats is paramount. This article describes some powerful cognitive tools that offer innovative perspectives and strategies for security risk managers.

These models, drawn from diverse disciplines, provide frameworks for understanding complex situations, making better decisions, and devising more effective security strategies.

Mental Models for Security Risk Management

Blitzkrieg Approach in Rapid Response

  • Definition: Originally a military strategy, Blitzkrieg emphasizes speed, surprise, and overwhelming force to quickly overpower an opponent.

  • Application in Security Risk Management: In the realm of security, a Blitzkrieg approach translates to a rapid and decisive response to security threats. This could involve swiftly mobilizing resources and personnel to address a breach, deploying emergency protocols, or enacting swift countermeasures against cyber threats.

  • Strategic Considerations: To implement this model effectively, security teams need to be well-trained and ready to act at a moment's notice. Quick decision-making, backed by robust intelligence and communication systems, is key. This approach also necessitates a high level of resource commitment as well as coordination and preparedness to avoid missteps in the rush to action.

Luck Surface Area in Opportunity Recognition

  • Definition: The Luck Surface Area concept suggests that one can increase their luck by doing more things and telling more people about what they do. In essence, it's about increasing the opportunities for good things to happen.

  • Application in Security Risk Management: For security risk managers, expanding the Luck Surface Area means increasing exposure to new ideas, technologies, and methodologies. This could involve networking with professionals from diverse sectors, staying abreast of the latest security trends, and actively seeking out innovative solutions to security challenges.

  • Strategic Considerations: To maximize the Luck Surface Area, encourage a culture of continuous learning and curiosity within your team. Attend conferences, participate in cross-industry forums, and collaborate with technology experts. The more you engage with the broader security community and share your challenges and achievements, the more likely you are to come across serendipitous opportunities that could enhance your security strategies.

Commitment Bias in Security Decisions

  • Definition: Commitment bias refers to the tendency to remain consistent with what we have already done or decided, even if new evidence suggests that the original decision might no longer be the best course of action. This bias can make us stick to outdated strategies or investments due to past commitments rather than adapting to new information or changing circumstances.

  • Application in Security Risk Management: In security risk management, this might manifest as reluctance to update systems or revise security protocols, even in the face of emerging threats or new technological advancements. For instance, continuing to invest in traditional security measures when newer, more effective solutions are available simply because of prior investments in the older systems.

  • Strategic Considerations: To counteract commitment bias, foster a culture of flexibility, lateral thinking, and open-mindedness in security teams. Encourage regular reviews of security strategies and tools. Be willing to pivot when necessary and maintain a mindset that values adaptive strategies and continuous improvement. Regular exercises that include scenario planning can help teams become more comfortable with change and better prepared to adjust strategies as the security landscape evolves.

Peak-End Effect in Crisis Management

  • Definition: This psychological principle suggests that people judge experiences primarily based on how they felt at their peak and at the end rather than the total sum or average of every moment of the experience.

  • Application in Security Risk Management: In the context of a security incident, the most intense moment (the peak) and the resolution phase (the end) disproportionately influence stakeholders' perceptions of the entire event. Effective management of these key moments can shape the narrative and learning outcomes from the incident.

  • Strategic Considerations: Focus on training security teams for peak performance during crisis peaks and ensure clear, concise communication during the resolution phase. Post-incident reviews should also prioritize these aspects to enhance future preparedness.

Blue Ocean Strategy in Security Solutions

  • Definition: This strategy involves creating new market space (or 'Blue Ocean') where competition is irrelevant, as opposed to competing in an existing market.

  • Application in Security Risk Management: Security risk managers can apply this model by developing innovative security solutions that address previously unmet needs or by redefining existing security services. For example, integrating AI-driven threat detection systems can create a new paradigm in preemptive security measures. One way to start is to imagine if all the existing security controls disappeared overnight. If you had to start from scratch with no history or resources to guide you, what security measures would you introduce? Which security measures would you reintroduce from the previous systems?

  • Strategic Considerations: Identify underexplored areas in security management where innovative approaches can significantly reduce risk or cost. Encourage a culture of creative problem-solving and continuous improvement within the team.

Law Of Diminishing Returns in Security Investments

  • Definition: This economic principle states that after a certain point, additional investment in a particular area yields progressively smaller returns.

  • Application in Security Risk Management: Understanding and identifying the point at which further investment in a specific security measure becomes less effective is crucial for resource optimization.

  • Strategic Considerations: Conduct regular reviews of security strategies and investments to identify areas where additional resources are less effective. Shift focus towards emerging risks or under-invested areas to maintain a balanced and effective security posture.


The application of various mental models in security risk management offers a fresh perspective and a toolkit for innovative problem-solving. By embracing these diverse cognitive frameworks, security professionals can enhance their analytical skills, improve decision-making processes, and better prepare for the challenges of the ever-changing security landscape.


If you like these mental models, you might like the SRMBOK Guide to Security Risk Management Mental Models, which has another ten key mental models for SRM.

Recent Posts

See All


bottom of page