Casey Ellis (of Bugcrowd fame) had a great post on Twitter today about security terminology.
Casey also added that Acceptable Risk would be being willing to get punched in the face.
threat actor = someone who wants to punch you in the face— cje (@caseyjohnellis) April 19, 2021
threat = the punch being thrown
vulnerability = your inability to defend against the punch
risk = the likelihood of getting punched in the face
These types of comparisons are golden because they turn theory into something tangible for people who aren’t security nerds like us.
I have a full post on this as well.
I did have a quibble about the definition of risk, though, as did some others on Twitter. But I don’t think Casey actually got this wrong, or that he’s confused about this. He probably wrote that tweet in like 14 seconds, not thinking it’d get massively circulated.
But I thought it was such a good Tweet that it was worth capturing how I would tweak it and expand it into a longer form. So here’s a hybrid version of my full writeup I did a long time ago and Casey’s scenario.
The Security Scenario: Getting sucker-punched in the face
- The Threat is being punched in the face
- The Threat Actor is the person who wants to punch you
- The Vulnerability is that you can’t currently move because you are being blindsided
- The Risk is his chance of landing the punch combined with how much damage he’ll do if hits you
That seems like a decent translation of the theory into the scenario. Now let’s look in more detail at each of the components.
The threat is pretty straightforward. It’s a negative scenario. A negative situation. It’s something bad you can describe quickly to someone. An earthquake. A hacker trying to steal data from your website. Or someone trying to punch you in the face.
The threat actor
The threat actor is probably the easiest to understand and translate between theory and reality. It’s the entity trying to do the bad thing. For most things it’s a specific human or organization, but in the case of things like earthquakes or hurricanes, it can be nature.
Vulnerabilties are the most common place to look for remediation opportunities.
The vulnerability is pretty interesting in this scenario. The vulnerability is the thing that allows the attack to happen, or makes it worse if it does. In this case I’ve defined the vulnerability as being the fact that you can’t see the punch coming.
Casey’s version said that you can’t defend against the punch, but for this exercise we might want to give a more specific reason for that. Maybe you’re drunk and can’t dodge. Maybe your vision is bad because you forgot your glasses. I just used the idea of you looking the other way as an example.
One of security’s biggest problems is businesses operating within risk they haven’t even seen, let alone accepted.
The Risk is always the hardest part, and where I think most people get most confused. Again, not Casey, but other people.
The trick is that if you’re not careful you can easily define a Risk in a way that collides with Threat. A Risk isn’t just the scenario, and it’s not just the chance of a scenario happening. It’s also how bad it would be if it did happen. So that’s three things combined: 1) scenario, 2) likelihood, and 3) impact.
acceptable risk = your willingness to be punched in the face— cje (@caseyjohnellis) April 20, 2021
As for Casey’s addition of Acceptable Risk to the mix, I’d expand on that as well. I’d say that Acceptable Risk would be something more like, “being willing to get punched in the face—but only in certain situations”.
So let’s say you’re teaching MMA to a room full of 10-year-olds, and you decide to let them all try to hit you in the face.
One should have defined reasons for taking the risks they’re taking.
You’re a 350lb boxer and you think you can take any number of punches from a group of pre-adolescents, so you’ve defined that operating with those rules—in that room—you’re taking on an acceptable level of risk.
But here’s the question: acceptable in return for what? You have to be—or at least should be—taking risk for a reason. And in this case, yes, you’re taking the risk in exchange for getting to teach them a lesson that will hopefully stay with them for life: size really does matter in fights.
Turning the knobs around remediation
Now we get to the super fun stuff, and why I find security so fascinating. There are a million ways to adjust this equation given all the components in the scenario! To reduce this risk we could:
- Expose ourselves to fewer threats (don’t go watch UFC fights at bars)
- Never have your back to a crowd of people
- Hire a bodyguard whenever you go in public
- Wear a helmet
If you look closely you can see that these affect different parts of the equation.
risk = likelihood x impact
Dodging would reduce likelihood, Blocking would reduce impact.
Not going to bars to watch fights reduces the number of threat actors who might punch you (probability). Not turning your back to a crowd raises the chances that you can dodge or block. Hiring a bodyguard will reduce the probability of being sucker-punched, but it could get weird if you start attracting attention from dangerous people. And wearing a helmet clearly reduces the impact of being punched (assuming the punch hits the helmet).
Thinking like a risk professional
If you’re a risk nerd like me, pondering UFC watching and punches to the face, you’d start asking yourself things like:
- How much do I really care about watching the fight in a crowd of people? Why not at home?
- What am I willing to do to reduce my risk of being punched in the face while doing so?
- Am I willing to wear a helmet on the off chance that someone tries to sucker-punch me?
- How much will the laughs and stares at my helmet detract from my fight-watching experience?
- How much money would I assign to my enjoyment of public fight-watching?
- How much would it cost to buy a helmet and hire the bodyguard? Is it worth it?
…and so on.
Basically, to do this type of thing well you have to really understand what you’re trying to achieve, what risks you’re willing to take to get that thing, and what knobs and levers you can adjust to make the tradeoffs worth it to you.
Threat Modeling and Risk Management are the disciplines that allow one to do these things well.
- Casey is awesome. You should follow him on Twitter.
- Theory is nice when explaining security concepts, but using a tangible, everyday scenario is often best
- People often confuse Threat and Risk, but Threat is just the scenario without the probability or impact
- It’s super fun—and useful—to be able to break down real-world scenarios into these components
- Real businesses are making these kinds of tradeoffs every moment of every day: the only question is whether or not they’re doing so knowingly or properly.
- Apr 21, 2021 — Changed the Threat to be “being punched in the face”, instead of “someone wanting to punch you in the face”. Thanks to Augusto Barros for the improvement.