Beyond Controls: The Power of Risk Scenarios

Scenarios are an underappreciated way to model infosec risk. A scenario is simply a future, consequential event you write to express a risk you’re concerned about. I’ve found that scenarios are flexible, creative, powerful, and rich with neat features. A good risk scenario focuses groups on their work… so writing them well is a craft that makes tea

Other Writing on Scenarios

I write a painfully large amount about risk scenarios if you want to keep going down this road.

• Malicious Insider Scenarios

• A risk decomposition walkthrough

• A risk based security project 📢

• Decomposing security risk into scenarios

• Troubles with quantified risk

• Let's measure some risks!

• Describing Vulnerability Risks

A distinguishing example of this is the Verizon Data Breach Report. It is full of risk scenarios. They’re produced from observed incidents in-the-wild rather than a threat modeling session, so my view is that these concepts are different.

Scenarios are indeed a natural output of threat modeling. Threat models include many other important things like

Generally speaking, tech companies have some crucial areas where playbooks don’t yet exist. These are often in the class of First Flight problems.

A single control can mitigate many scenarios. This is why control-based approaches are often so portable and valuable from company to company. Controls can appear in contracts, are easily auditable, and make explainable security products. That’s why control-based approaches are so popular. When a fundamental control is missing, it is probably a red

Scenarios are powerful. Clear, well-written scenarios should be a first-class skill for security professionals and a core part of how security teams work together. Taking the time with others to be clear about the scenario you’re concerned about is a matter of keeping everyone moving toward the same goal.