The Bar Fight Risk Taxonomy

Update: Ricki has put t-shirts based on this tweet - literally - up in an Etsy store. They are 25 AUD and all proceeds go towards helping students and others get into cybersecurity as a career field. Yeet!

After hearing the words "vulnerability" and "threat" used interchangeably for the >9,000th time, I decided to take action, and the Bar Fight Risk Taxonomy was born.

Nothing occurs without communication, and risk, particularly in the cyber domain, is already a fairly vague and abstract concept, so I rely heavily on metaphors to explain cybersecurity and risk concepts. I've observed that situations or experiences that the majority of an audience has experienced, thought about, or seen on television serve as a firm foundation for shared comprehension. I also often employ visceral hyperbole to draw attention to the subject, immerse the reader in the scenario, and maintain the focus on the object of the illustration. This tweet utilized both techniques. Even if the reader has never been in or contemplated avoiding a fight in a pub, this scenario - despite being quite unpleasant - is relatively simple to imagine and very effective for getting the point across.

Hat tip to the legendary Jack Daniel who has been using a similar fighting analogy to communicate risk concepts for years...

 Patch Tuesday = your weekly gym visit

Security stack = your mates at the pub with you

APT = a mate who also wants to punch you in the face

Air gap = avoiding the pub by staying at home

Side channel = your wallet being nicked whilst you are being punched in the face— ARJ (@AndrewRJamieson) April 20, 2021 

In any case... It went viral quickly, to the point where my friend Ricki Burke started making t-shirts out of it. Of all the tweets I've sent that made their way onto a t-shirt, I'm quite glad this is the one that did:

I'm clearly not the only one who frequently needs to explain these terms and gets mildly irritated when they're switched around, especially by those in the space who really ought to know better. The original tweet was viewed, liked, and reposted 250,000 times, and it spawned a thread with extensions of what I now refer to as "The Bar Fight Risk Taxonomy," which ranged from the concisely accurate to the deeply snarky and hilarious.

Here's the original tweet:

 threat actor = someone who wants to punch you in the face

threat = the punch being thrown

vulnerability = your inability to defend against the punch

risk = the likelihood of getting punched in the face— cje 💉💉 (@caseyjohnellis) April 19, 2021 

My apologies to the tenured risk and GRC professionals who have already identified what appears to be a mistake here... Risk is mathematically defined as: Likelihood x Impact. Partially because Twitter has a character limit of 240, and partly because I was thinking about a breach through a "right of boom" lens (i.e. something bad has happened, let's understand why), I descoped Impact as a modifier by considering a successful punch as a notifiable breach... i.e. a pass or fail thing that no-one wants. Daniel Miessler did an excellent job expanding on the alternative treatment of risk in this analogy in his blog but since Twitter is written in pen, not pencil, my somewhat crude Impact = 1 math used in the definition remains unchanged.

Here are some subsequent additions to the thread...

 acceptable risk = your willingness to be punched in the face— cje 💉💉 (@caseyjohnellis) April 20, 2021 

 exploit = the fist— cje 💉💉 (@caseyjohnellis) April 20, 2021 

 attack surface = the size and shape of your face— cje 💉💉 (@caseyjohnellis) April 20, 2021 

...and on, and on it went...

 Patch Tuesday = your weekly gym visit

Security stack = your mates at the pub with you

APT = a mate who also wants to punch you in the face

Air gap = avoiding the pub by staying at home

Side channel = your wallet being nicked whilst you are being punched in the face— ARJ (@AndrewRJamieson) April 20, 2021 

 bounty hunter = someone who promises to wear gloves when they punch you if you promise to pay them based on where they punch you

bugcrowd = cage fight organiser— ec0 || james 🏴‍☠️ (@devec0) April 20, 2021 

 asymmetric threat = studying this entire thread then getting kicked in the crotch— cje 💉💉 (@caseyjohnellis) April 21, 2021 

 cyberrisk insurance = your mates at the pub betting on if you can "talk that kinda shit" and not get punched in the face— cje 💉💉 (@caseyjohnellis) April 20, 2021 

 Threat intelligence = “Bob’s going to come at you with a right cross”— Bill Kyrouz (@Kyrouz) April 20, 2021 

 canary = a loud obnoxious friend who is daring everyone to punch them, wearing identical clothes

pentest = sparring partner, former welterweight boxer, will hit you until you say stop, no below the belt— Picaro Byte (@__picaro8) April 20, 2021 

 compliance = how you think this all works until you've been punched in the face— cje 💉💉 (@caseyjohnellis) April 20, 2021 

 Parameterized query: understanding the proper defensive ninja moves while someone is talking to you all friendly like and then suddenly tries to punch you in the face— Jim Manico (@manicode) May 3, 2021 

 Risk acceptance = ok getting punched

Risk mitigation = practice taking a pinch

Risk mitigation = consider guards

Risk proactive controls = snipers pic.twitter.com/mHQTyMdw3R— SecFightClub (@SecFightClub) May 3, 2021 

 bad threat intelligence = people are generally mad at you about stuff, and might try to punch you at some point in the future— cje 💉💉 (@caseyjohnellis) April 20, 2021 

 CVE = list of known standard punches

Port scan = looking around the bar to see what everyone is drinking

Bouncer = Firewall

Band-aids = Initial post-event remediation

Blood = data-loss

No memory of the event = Ransomware, must rebuild from backups stored in the memory of pals— David Heath (@david_heath) April 21, 2021 

 CVE=A Chuck Norris movie— Mathias (@matthegap) April 21, 2021