EBIOS Risk Manager (EBIOS RM) is the French reference method for cyber risk assessment and treatment. Published by ANSSI in 2018 and aligned with ISO/IEC 27005, EBIOS RM is used by French public entities, OIVs (Operators of Vital Importance), OSEs (Operators of Essential Services), and increasingly by large corporations seeking a method better suited to modern cyber threats than historical approaches.
This guide details the 5 workshops of the method, expected deliverables, and common mistakes.
Why EBIOS RM rather than another method?
EBIOS RM stands out for three characteristics:
- Scenario-centered approach — rather than a list of generic threats, EBIOS RM builds realistic risk scenarios involving concrete risk sources (attackers)
- Explicit ecosystem consideration — suppliers, partners, supply chains are treated as potential risk sources
- Decision-making orientation — the method produces strategic options for leadership, not just a technical list
Compared to ISO 27005 or FAIR, EBIOS RM is particularly suited when:
- The organization is in a French regulatory scope (LPM, REN Act, transposed NIS2)
- Risk sources are identifiable (APT groups, cybercriminals, insiders)
- The need is for scenario modeling rather than financial quantification
For a deep methodological comparison, see our FAIR vs ISO 27005 article.
Overview of the 5 workshops
| Workshop | Name | Objective | Indicative duration |
|---|---|---|---|
| 1 | Framing & security baseline | Define scope + identify business values | 2-5 days |
| 2 | Risk sources | Characterize potential attackers | 3-5 days |
| 3 | Strategic scenarios | Build macro threat × value scenarios | 3-5 days |
| 4 | Operational scenarios | Detail technical attack paths | 5-10 days |
| 5 | Risk treatment | Decide treatment options and monitor | 2-5 days |
A complete EBIOS RM cycle on a moderately complex scope takes 6-12 weeks excluding leadership decision-making.
Workshop 1 — Framing and security baseline
Objective
Define the study scope and identify business values to protect. This is the foundation: wrong framing makes everything downstream useless.
Activities
1.1 Scope definition
- Organizational scope (a subsidiary, a functional domain…)
- Technical scope (an information system, an application…)
- Time horizon (3, 5, 10 years)
1.2 Missions and business values identification
A business value is an element of importance to the organization. Types:
- Business processes (e.g., order processing)
- Information (e.g., customer databases, R&D data)
- Essential technical assets (systems supporting processes and information)
For each business value, document:
- Description
- Business owner
- Missions it serves
- Sensitivity (CIAP scale: Confidentiality, Integrity, Availability, Proof)
1.3 Feared event identification
A feared event (FE) is an undesirable event impacting a business value on one of its sensitivity dimensions.
Example:
- Business value: "Customer database"
- FE1: Unavailability > 4 hours
- FE2: Disclosure to unauthorized third parties
- FE3: Unauthorized modification
1.4 Security baseline definition
Frameworks, policies, standards the organization is already subject to (ISO 27001, GDPR, sectoral obligations). The baseline sets the minimum expected level.
Workshop 1 deliverables
- Framing note
- Business value map
- List of feared events with CIAP rating
- Security baseline reference
Workshop 2 — Risk sources and targeted objectives
Objective
Identify who can attack the organization and why. EBIOS RM stands out here with its adversary approach, not just threat.
Activities
2.1 Risk source identification (RS)
Types of sources:
- States and state entities (APTs, intelligence services)
- Criminal organizations (cybercriminals, ransomware groups)
- Hacktivists (ideological groups)
- Malicious insiders (employees, contractors)
- Competitors (industrial espionage)
- Amateurs (script kiddies, opportunists)
2.2 Targeted objectives determination (TO)
For each risk source, what are its objectives?
- Financial (ransom, theft, fraud)
- Operational (disruption, sabotage)
- Strategic (espionage, influence)
- Political (destabilization, pressure)
2.3 RS/TO pair assessment
For each pair, rate:
- Motivation (low / significant / strong)
- Resources (low / significant / strong)
- Activity (low / significant / strong)
A relevant RS/TO pair is retained for subsequent workshops if its aggregate exceeds a threshold (typically "significant" or higher).
Workshop 2 deliverables
- List of relevant risk sources
- List of targeted objectives
- RS/TO pair ratings
- Selection of relevant pairs for the next step
Workshop 3 — Strategic scenarios
Objective
Build macro scenarios crossing:
- A retained risk source
- A retained targeted objective
- A business value impacted (via its ecosystem)
Activities
3.1 Ecosystem mapping
Identify third parties (suppliers, partners, contractors) interacting with business values. Each third party is a potential vector of attack.
Example: an outsourcing provider can be an attack target to reach its client's data.
3.2 Strategic scenario construction
A strategic scenario describes the macro chain: RS → compromises stakeholder → compromises business value.
Example:
- RS: Ransomware cybercriminal
- TO: Financial extortion
- Chain: RS → compromises accounting firm → compromises financial database → accounting blockage → ransom
3.3 Severity assessment
Each strategic scenario is rated in severity (S1 to S4) based on impact on business value.
Workshop 3 deliverables
- Ecosystem map
- List of retained strategic scenarios
- Severity rating
- Selection of scenarios to detail in workshop 4
Workshop 4 — Operational scenarios
Objective
Detail technical attack paths of retained strategic scenarios. This is the most technical workshop.
Activities
4.1 Operational scenario construction
Each strategic scenario is broken down into chronological elementary technical actions:
Example (ransomware via accounting firm):
- Targeted phishing on accounting firm → user workstation compromise
- Privilege escalation → firm admin account compromise
- Lateral movement → client network access via shared VPN
- Reconnaissance → client server identification
- Ransomware deployment → client server encryption
4.2 Likelihood assessment
For each operational scenario, rate likelihood (L1 to L4) based on:
- Required technical capabilities
- Required resources
- Opportunities (attack surface)
- Coverage of existing measures
4.3 Usable frameworks
EBIOS RM allows cross-referencing with:
- MITRE ATT&CK for tactics/techniques
- CVSS for technical vulnerabilities
- Specific threat frameworks (ANSSI, Microsoft, CrowdStrike…)
Workshop 4 deliverables
- Detailed operational scenarios (attack paths)
- Likelihood rating
- Mapping with frameworks (MITRE ATT&CK)
- Risk matrix (severity × likelihood)
Workshop 5 — Risk treatment
Objective
For each risk deemed significant, decide on a treatment and steer its implementation.
Activities
5.1 Treatment options
- Avoid — remove the activity at the risk origin
- Reduce — implement measures (technical, organizational)
- Transfer — insurance, outsourcing
- Accept — acceptable residual risk
5.2 Action plan
For each reduction measure:
- Description
- Owner
- Deadline
- Estimated cost
- Effectiveness indicator (KPI/KRI)
5.3 Monitoring and revision
- Risk review frequency (typically annual or event-driven)
- Criteria to reopen an EBIOS RM study
- Links to leadership reporting
Workshop 5 deliverables
- Risk treatment plan
- Measures roadmap
- Monitoring KPIs/KRIs
- Leadership validation
EBIOS RM and other frameworks
| Framework | Articulation with EBIOS RM |
|---|---|
| ISO 27005 | EBIOS RM is compliant with ISO 27005. You can use EBIOS RM to satisfy the ISO 27001 risk analysis requirement |
| NIS2 | EBIOS RM is explicitly recognized by ANSSI as NIS2-compliant method |
| DORA | EBIOS RM can feed DORA assessment, particularly on the ICT risk management pillar |
| NIST CSF 2.0 | EBIOS RM feeds the "Identify" function (ID.RA — Risk Assessment) |
| ISO 22301 | EBIOS RM operational scenarios feed the BIA |
Common EBIOS RM mistakes
1. Scope too broad
Wanting to cover the entire organization in one cycle. Prefer thematic cycles: "production IS", "e-commerce application", "supplier ecosystem"…
2. Generic business values
"Data" or "the information system" are not usable business values. Concrete labels needed: "B2B customer base", "Molecule X R&D recipes", "Booking platform".
3. Fanciful risk sources
Mapping 20 risk sources for 2 internal applications is over-engineering. Target sources truly relevant to your sector and notoriety.
4. Scenarios disconnected from ecosystem
Ignoring contractors, SaaS chains, API integrations is a major methodological mistake. EBIOS RM was designed to capture these dependencies.
5. Not prioritizing
Ending workshop 4 with 150 non-prioritized operational scenarios. Force a severity × likelihood prioritization and focus on the top 20.
6. Not linking to action plan
A workshop 5 ending with "we must improve security" commits no one. Each measure must have an owner, a deadline, and a budget.
How ResiPlan operationalizes EBIOS RM
- EBIOS RM module structured by workshop (1 to 5)
- Pre-filled libraries: common risk sources, targeted objectives, MITRE ATT&CK tactics
- Severity × likelihood matrix with dynamic visualization
- Integrated action plan with owner/deadline workflow
- Links to BIA — operational scenarios automatically feed the BIA
- ANSSI-compatible exports for OIV/OSE/NIS2 audits
ResiPlan supports 36 risk management methodologies (EBIOS RM, FAIR, ISO 27005, Bow-Tie, Monte Carlo…) in a single tool. Start a free trial.
Conclusion
EBIOS RM is a rigorous, scenario-centered method recognized by ANSSI. Its 5 workshops produce a strategic and operational view of cyber risks, directly usable to arbitrate security investments and meet NIS2, DORA, LPM requirements.
The success key: don't aim for first-cycle perfection. An iterative EBIOS RM cycle — a limited scope per year, enriched annually — produces more value than an 18-month monolithic project that never ships.
For deeper reading: