4 min read

The Bar Fight Risk Taxonomy

After hearing "vulnerability" and "threat" used interchangeably for a >9,000th time I decided to do something about it, and the Bar Fight Risk Taxonomy was born.
The Bar Fight Risk Taxonomy
Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!

After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.

Nothing occurs without communication, and risk, particularly in the cyber domain, is already a fairly vague and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. I've observed that situations or experiences that the majority of an audience has experienced, thought about, or seen on television serve as a firm foundation for shared comprehension. I also often employ visceral hyperbole to draw attention to the subject, immerse the reader in the scenario, and maintain the focus on the object of the illustration. This tweet utilized both techniques. Even if the reader has never been in or contemplated avoiding a fight in a pub, this scenario - despite being quite unpleasant - is relatively simple to imagine and very effective for getting the point across.

Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...

In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. Of all the tweets I've sent that made their way onto a t-shirt, I'm quite glad this is the one that did:

Ricki Burke on LinkedIn: Inspired by Casey Ellis | 146 comments
Inspired by Casey Ellis... 146 comments on LinkedIn

I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around, especially by those in the space who really ought to know better. The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Bar Fight Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.

Here's the original tweet:

My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Partially because Twitter has a character limit of 240, and partly because I was thinking about a breach through a "right of boom" lens (i.e. something bad has happened, let's understand why), I descoped Impact as a modifier by considering a successful punch as a notifiable breach... i.e. a pass or fail thing that no-one wants. Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog but since Twitter is written in pen, not pencil, my somewhat crude Impact = 1 math used in the definition remains unchanged.

Here are some subsequent additions to the thread...

Acceptable risk definition
Exploit definition
Attack surface definition

...and on, and on it went...

Bounty hunter definition
Asymmetric threat definition
Cyber risk insurance definition
Threat intelligence defintion
Pentest definition
Compliance definition
Parameterization definition
Risk acceptance definition
Threat intelligence definition
Miscellaneous definitions
CVE definition