The Bar Fight Risk Taxonomy

After hearing “vulnerability” and “threat” used interchangeably for a >9,000th time I decided to do something about it, and the Bar Fight Risk Taxonomy was born.

I use metaphors to explain cybersecurity and risk concepts A LOT, mostly because risk is such an ambiguous and abstract concept, to begin with. Using a situation or experience that most people have experienced, considered, heard about, or seen on TV provides a solid baseline to build understanding — The other trick I often use is visceral hyperbole in order to bring the reader into the scenario and maintain focus on the point. In this case, if the reader hasn’t thought about avoiding a fight before, it’s still a relatively easy (if unpleasant and violent) threat model to think through.

So anyway… It blew up fairly quickly, to the point where my friend Ricki Burke has started doing t-shirts with it — Of all the tweets I’ve made that could have ended up on a t-shirt, I’m pretty happy this is the one that did:

Ricki Burke on LinkedIn: Inspired by Casey Ellis | 146 commentsInspired by Casey Ellis… 146 comments on LinkedInLinkedIn3000+ Posts [https://www.linkedin.com/feed/update/urn:li:activity:6813658391395889152/]I'm clearly not the only one who runs into the need to explain these terms often, and get’s mildly triggered when they get switched around (especially by those in the space who really ought to know better). The initial tweet viewed, liked, and reposted 250,000 times and it spawned a thread with extensions of what I now call “The Pub Brawl Risk Taxonomy” which ranged from the concisely accurate, to the deeply snarky and hilarious.

Here’s the original tweet:

threat actor = someone who wants to punch you in the face threat = the punch being thrown vulnerability = your inability to defend against the punch risk = the likelihood of getting punched in the face

— cje 💉💉 (@caseyjohnellis) April 19, 2021 [https://twitter.com/caseyjohnellis/status/1384277480979124232?ref_src=twsrc%5Etfw]

My apologies to the tenured risk and GRC folks who’ve already spotted what looks like a mistake here… The technical definition of Risk = Likelihood x Impact. Twitter is limited to 240 characters so I descoped Impact as a modifier by considering a successful punch as a breach (i.e. A pass/fail DO NOT WANT). Daniel Miessler did a great job expanding [https://danielmiessler.com/blog/explaining-threats-threat-actors-vulnerabilities-and-risk-using-a-real-world-scenario/] the alternative treatment of risk in this analogy in his blog… but yeh, Twitter is written in pen not pencil, and I left my Impact = 1 definition as is. Here are some of the subsequent expansions to the thread provided by yours truly…

acceptable risk = your willingness to be punched in the face

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384353347726057473?ref_src=twsrc%5Etfw]

acceptable risk = your willingness to be punched in the face

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384353347726057473?ref_src=twsrc%5Etfw]

exploit = the fist

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384353458719891456?ref_src=twsrc%5Etfw] And on, and on it went…

asymmetric threat = studying this entire thread then getting kicked in the crotch

— cje 💉💉 (@caseyjohnellis) April 21, 2021 [https://twitter.com/caseyjohnellis/status/1384784202260905986?ref_src=twsrc%5Etfw]

cyberrisk insurance = your mates at the pub betting on if you can “talk that kinda shit” and not get punched in the face

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384353612990607366?ref_src=twsrc%5Etfw]

attack surface = the size and shape of your face

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384353423722573824?ref_src=twsrc%5Etfw]

compliance = how you think this all works until you’ve been punched in the face

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384503532636672009?ref_src=twsrc%5Etfw]

bad threat intelligence = people are generally mad at you about stuff, and might try to punch you at some point in the future

— cje 💉💉 (@caseyjohnellis) April 20, 2021 [https://twitter.com/caseyjohnellis/status/1384384078959366146?ref_src=twsrc%5Etfw]