03:18 PM
Alex Hutton
Alex Hutton
Connect Directly

Introducing: The RiskFish

In this first article, I'd like to give you a simple tool to help you better understand and categorize risk and security scenarios. We call it "The RiskFish" -- and it's free to use

"I'm having a hard time figuring out where our risk really is here..."

If you've ever had an interesting audit finding, threat scenario, risk analysis, or generally found yourself needing to try to help the business sort thrugh its thoughts about exactly what's going on, then this blog post is for you.

Before we dive in, I should introduce myself. I am a risk manager. My name is Alex, and I work for a largish financial institution where I am a director of technology and operations risk. My information security/risk management background comes from my previous work in risk intelligence at Verizon, where I was part of the Data Breach Investigations Report (DBIR) team, working with Jack Jones setting up IRM/ERM shops and teaching FAIR, and working with Brent Huston doing OCTAVE/NIST stuff "way back" in the 2001-2005 time frame. Prior to that, I was a product manager for a firewall/VPN solution for five years.

So in the past 10 years I've been working around information risk management, I've learned that security and risk are pretty complex. In fact, I don't think it would be a stretch to say that we're working with complex adaptive systems in our profession. This complexity makes it challenging to understand risk, and it can mean that we have difficulty communicating risk.

The good news is that, in my experience, once you have some formalization around definition and modeling, risk management becomes 80 percent communication methods. So in this inaugural series of posts, I'd like to share with you a little tool to help risk and security folks communicate the situation at hand. I call it "The RiskFish."

What Is The RiskFish?
The concept is simple: Take an Ishikawa or Fish Diagram that was originally created for root cause analysis in manufacturing, and then hack it up a bit so that it works for security and risk. The means to provide clarity and definition? We'll use VERIS, the community licensed/released framework used by Verizon to create the DBIR. So where a manufacturing root cause analysis is going to include categories such as Personnel, Materials, Measurements, Environment, Methods, and Machines, we will use the following:

(business unit or victim) Demographics
(threat) Agents
(threat) Actions
(business) Assets
(security) Controls
(security) Attributes
(financial) Impacts

How To Use The RiskFish
Basically, the RiskFish is a brainstorm tool. It's designed to help you sort out your thoughts. You simply take whatever scenario you're looking at -- identify categorically which part of the fish diagram you're talking about (click on it to enlarge) -- and use VERIS to clarify all of the risk elements you think you might want to consider. I've found that VERIS provides pretty good definition and clarity; it has been used to describe thousands of incidents in Verizon's DBIR. Because Verizon has used VERIS for years, anything you think of should be able to be identified and described using the tool. If you come up with something unique and not covered in VERIS, then the community nature of VERIS means that you can contribute to the XML schema and definitions at the VERIS community website.

So using VERIS, what the diagram does is help you identify a high-level category to discuss what you're thinking about. If I'm worried about malicious insiders, for example, I would go to the Agent branch and write down "insider." Then, if I wanted to get more specific, the VERIS community website has metadata associated with "insider." So I might write down "insider - privileged - auditor" if I wanted to describe a specific case where I'm worried an audit might go rogue. Maybe then I'd match up an action of "Misuse" and circle some of the impact categories that I think might apply. I can do more threat modeling in the bottom part of the diagram, picking actions against assets, attributes that would be compromised, and so forth. And it's totally OK to have more than one thing appear in any one branch; again, this is brainstorming. The important part is to get it all down on paper and then start identifying relationships and connections between the branches.

All of this classification metadata you can associate with these top-level categories can be found at the VERIS Community website, except for controls. For now, that branch is "young," and I would welcome industry contributions to help mature that (or any other) category.

Speaking of contributing, I've tried to make the RiskFish as "free" as possible by releasing it under a creative-commons license. You can use it for free; you just can't charge for it, and if you improve it, we ask that you share back to the world. I say "we" because the RiskFish is now formally under the stewardship of the Society of Information Risk Analysts (SIRA). There's no fee to join SIRA, and you can just sign up for the mailing list and get your hands dirty if you want to learn a little bit more about it, talk to people who are using the RiskFish, or even contribute to its evolution.

So feel free to download a .pdf file of the RiskFish from the SIRA website.

Where To Use The RiskFish
I've found using the RiskFish to be really useful in discussions with the business, particularly as a tool to help it sort out its concerns. I've found it useful in Vendor Management discussions, on-boarding new systems, defining red team scenarios, risk's kind of a neat Swiss Army Knife for the risk/security analyst.

Like a Swiss Army Knife, the RiskFish does a little bit of everything. It helps you do a wee bit of threat modeling, control analysis, and impact analysis. The knife isn't going to cut down a tree, but you can whittle something nice with it. The RiskFish isn't a formal threat modeling or risk analysis tool, but it can give you a good idea as to what is important and indicate when it's time to bring out a real tool. The RiskFish is not a tool that's going to calculate your risk, make your world candy canes and unicorns, or protect your network. So far, however, it seems pretty useful for helping you sort your thoughts and helping you identify what's important.

Later, we'll talk about using the RiskFish to create the basis for a risk analysis. Then I thought we'd finish out this series of blog posts by discussing how to use the RiskFish to scope a penetration test, argue an audit finding, and finally, architect a new control framework.

Alex Hutton is Director of Technology and Operations Risk at a largish financial institution. He likes risk and security so much that he contributes spare time to industry groups like The Society of Information Risk Analysts.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.