4 min read

The Bar Fight Risk Taxonomy

After hearing "vulnerability" and "threat" used interchangeably for a >9,000th time I decided to do something about it, and the Bar Fight Risk Taxonomy was born.
The Bar Fight Risk Taxonomy
Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!

After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.

Risk is an ambiguous and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. Using a situation or experience that the majority of people have experienced, thought about, heard about, or seen on TV provides a solid foundation for understanding. Another technique I frequently employ is visceral hyperbole to immerse the reader in the scenario while keeping the focus on the point. In this case, even if the reader hasn't considered avoiding a fight before, it's still a relatively simple (if unpleasant and violent) threat model to consider.

Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...

In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. - Of all the tweets I've sent that could have ended up on a t-shirt, I'm glad this one did:

Ricki Burke on LinkedIn: Inspired by Casey Ellis | 146 comments
Inspired by Casey Ellis... 146 comments on LinkedIn


I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around (especially by those in the space who really ought to know better). The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Pub Brawl Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.

Here's the original tweet::

My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Because Twitter has a character limit of 240, I descoped Impact as a modifier by considering a successful punch as a breach (i.e. A pass/fail DO NOT WANT). Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog... but Twitter is written in pen, not pencil, so my Impact = 1 definition remains unchanged.

Here are some subsequent additions to the thread...

Acceptable risk definition
Exploit definition
Attack surface definition

And on, and on it went...

Bounty hunter definition
Asymmetric threat definition
Cyber risk insurance definition
Threat intelligence defintion
Attack surface definition
Pentest definition
Compliance definition
Parameterization definition
Risk acceptance definition
Threat intelligence definition
Miscellaneous definitions
CVE definition