Citicus ONE is the product of a 35-year programme of research conducted by the founders of Citicus Limited in conjunction with leading organizations around the world.

This collaborative research has involved hundreds of the world’s leading public- and private-sector enterprises. The results of many projects have been published by the organizations that commissioned them either in the public domain, for sale or for the exclusive use of their members.

To give an idea of the depth of this research, its key features are outlined below under the following headings:

  • Sample project
  • Published research
  • Key insights

Sample project

The 1998-9 ISF survey is an example of the scale of research which illuminates the design and development of Citicus ONE:

  • about 1,000 people from 147 private- and public sector enterprises were involved in compiling questionnaires, completing them and analyzing / reviewing results
  • questionnaires probed the status of 5,600 issues affecting the risk posed by 969 IT environments
  • 61,000 pages of completed questionnaires gathered over 950,000 facts about surveyed environments , including their criticality, controls applied, incidents suffered and profile characteristics (eg sector, location, technology employed, staffing, size, age)
  • analysis shed new light on the effectiveness of controls in reducing incidents and other factors that determine or indicate information risk
  • results were subject to intensive review by practitioners and outside experts
  • results illuminated the subsequent development of the ISF’s Fundamental Information Risk Management (FIRM) methodology, which the founders of Citicus limited developed for and in conjunction with the ISF. Citicus Limited has an exclusive license to automate the resultant methodology for general sale, by virtue of the role played by Citicus directors in its development.

Published research

Published research that has been largely or entirely authored by Citicus founders is illustrated below. These examples represent just a sample of the 80+ publications Citicus staff have been involved in producing over the last 35 years. Click the titles of individual reports for more details.





Citicus Limited’s founders also contributed to other influential publications, including:





Key insights from our research foundation

Rigorous analysis, using techniques pioneered by Citicus staff, reveals that the dominant success factor in driving down information risk is achieving a ‘good, all-round level of protection’. This contrasts with the pattern of protection that is generally applied - which tends to be erratic (ie strong in some control areas, average in most and weak in others).

This is one of the secrets of success in managing not only information risk but other critical fields such as air transport and motor vehicle safety. Thus, the same principle can be expected to apply to other key areas of operational risk such a supplier risk and so on.

Research results showing the impact of achieving a good, all-round level of protection are illustrated in the two charts that follow.

Financial impact of incidents and the chances of suffering incidents in two different groups of environments

While achieving a good, all-round level of protection is highly beneficial and readily achievable with existing techniques and technologies, surprisingly only 1-in-12 of systems we’ve analyzed meet this desirable goal - hence the almost universal for better risk management practices.

The following charts show that incidents are a key indicator of risk and that protection is required not just against malevolent acts but against the entire spectrum of incidents.

Citicus ONE is unique among suppliers of risk management solutions in recognizing the importance of these research results - and using them to influence behaviour.

TIP: Risk management processes that neglect these insights are likely to be yield unreliable results and are best avoided.