Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!
After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.
Risk is an ambiguous and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. Using a situation or experience that the majority of people have experienced, thought about, heard about, or seen on TV provides a solid foundation for understanding. Another technique I frequently employ is visceral hyperbole to immerse the reader in the scenario while keeping the focus on the point. In this case, even if the reader hasn't considered avoiding a fight before, it's still a relatively simple (if unpleasant and violent) threat model to consider.
Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...
In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. - Of all the tweets I've sent that could have ended up on a t-shirt, I'm glad this one did:
I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around (especially by those in the space who really ought to know better). The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Pub Brawl Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.
Here's the original tweet::
My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Because Twitter has a character limit of 240, I descoped Impact as a modifier by considering a successful punch as a breach (i.e. A pass/fail DO NOT WANT). Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog... but Twitter is written in pen, not pencil, so my Impact = 1 definition remains unchanged.
Here are some subsequent additions to the thread...
And on, and on it went...