Saved by Chad Hudson
Beyond Controls: The Power of Risk Scenarios
Other Writing on Scenarios
I write a painfully large amount about risk scenarios if you want to keep going down this road.
• Malicious Insider Scenarios
• A risk decomposition walkthrough
• A risk based security project 📢
• Decomposing security risk into scenarios
• Troubles with quantified risk
• Let's measure some risks!
• Describing Vulnerability Risks
Ryan McGeehan • Beyond Controls: The Power of Risk Scenarios
Scenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk you’re concerned about. I’ve found that scenarios are flexible, creative, powerful, and rich with neat features. A good risk scenario focuses groups on their work… so writing them well is a craft that makes tea
... See moreRyan McGeehan • Beyond Controls: The Power of Risk Scenarios
Scenarios are powerful. Clear, well-written scenarios should be a first-class skill for security professionals and a core part of how security teams work together. Taking the time with others to be clear about the scenario you’re concerned about is a matter of keeping everyone moving toward the same goal.
Ryan McGeehan • Beyond Controls: The Power of Risk Scenarios
A single control can mitigate many scenarios. This is why control-based approaches are often so portable and valuable from company to company. Controls can appear in contracts, are easily auditable, and make explainable security products. That’s why control-based approaches are so popular. When a fundamental control is missing, it is probably a red
... See moreRyan McGeehan • Beyond Controls: The Power of Risk Scenarios
A distinguishing example of this is the Verizon Data Breach Report. It is full of risk scenarios. They’re produced from observed incidents in-the-wild rather than a threat modeling session, so my view is that these concepts are different.
Scenarios are indeed a natural output of threat modeling. Threat models include many other important things like
... See moreRyan McGeehan • Beyond Controls: The Power of Risk Scenarios
It may! However, you’ll find that the North Star at many organizations is not based on any mention of risks. Rather, how work is planned, prioritized, and communicated is often based on controls, compliance, or “maturity”. Collaboration on risks is either nonexistent or buried as a governance practice and done out of sight of the organization.
Ryan McGeehan • Beyond Controls: The Power of Risk Scenarios
It seems that risk scenarios can be married to controls and implementation tiers in NIST CSF to decide from a risk perspective the target tier level for a control implementation.