Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:18 PM
Alex Hutton
Alex Hutton

Introducing: The RiskFish

In this first article, I'd like to give you a simple tool to help you better understand and categorize risk and security scenarios. We call it "The RiskFish" -- and it's free to use

"I'm having a hard time figuring out where our risk really is here..."

If you've ever had an interesting audit finding, threat scenario, risk analysis, or generally found yourself needing to try to help the business sort thrugh its thoughts about exactly what's going on, then this blog post is for you.

Before we dive in, I should introduce myself. I am a risk manager. My name is Alex, and I work for a largish financial institution where I am a director of technology and operations risk. My information security/risk management background comes from my previous work in risk intelligence at Verizon, where I was part of the Data Breach Investigations Report (DBIR) team, working with Jack Jones setting up IRM/ERM shops and teaching FAIR, and working with Brent Huston doing OCTAVE/NIST stuff "way back" in the 2001-2005 time frame. Prior to that, I was a product manager for a firewall/VPN solution for five years.

So in the past 10 years I've been working around information risk management, I've learned that security and risk are pretty complex. In fact, I don't think it would be a stretch to say that we're working with complex adaptive systems in our profession. This complexity makes it challenging to understand risk, and it can mean that we have difficulty communicating risk.

The good news is that, in my experience, once you have some formalization around definition and modeling, risk management becomes 80 percent communication methods. So in this inaugural series of posts, I'd like to share with you a little tool to help risk and security folks communicate the situation at hand. I call it "The RiskFish."

What Is The RiskFish?
The concept is simple: Take an Ishikawa or Fish Diagram that was originally created for root cause analysis in manufacturing, and then hack it up a bit so that it works for security and risk. The means to provide clarity and definition? We'll use VERIS, the community licensed/released framework used by Verizon to create the DBIR. So where a manufacturing root cause analysis is going to include categories such as Personnel, Materials, Measurements, Environment, Methods, and Machines, we will use the following:

(business unit or victim) Demographics
(threat) Agents
(threat) Actions
(business) Assets
(security) Controls
(security) Attributes
(financial) Impacts

How To Use The RiskFish
Basically, the RiskFish is a brainstorm tool. It's designed to help you sort out your thoughts. You simply take whatever scenario you're looking at -- identify categorically which part of the fish diagram you're talking about (click on it to enlarge) -- and use VERIS to clarify all of the risk elements you think you might want to consider. I've found that VERIS provides pretty good definition and clarity; it has been used to describe thousands of incidents in Verizon's DBIR. Because Verizon has used VERIS for years, anything you think of should be able to be identified and described using the tool. If you come up with something unique and not covered in VERIS, then the community nature of VERIS means that you can contribute to the XML schema and definitions at the VERIS community website.

So using VERIS, what the diagram does is help you identify a high-level category to discuss what you're thinking about. If I'm worried about malicious insiders, for example, I would go to the Agent branch and write down "insider." Then, if I wanted to get more specific, the VERIS community website has metadata associated with "insider." So I might write down "insider - privileged - auditor" if I wanted to describe a specific case where I'm worried an audit might go rogue. Maybe then I'd match up an action of "Misuse" and circle some of the impact categories that I think might apply. I can do more threat modeling in the bottom part of the diagram, picking actions against assets, attributes that would be compromised, and so forth. And it's totally OK to have more than one thing appear in any one branch; again, this is brainstorming. The important part is to get it all down on paper and then start identifying relationships and connections between the branches.

All of this classification metadata you can associate with these top-level categories can be found at the VERIS Community website, except for controls. For now, that branch is "young," and I would welcome industry contributions to help mature that (or any other) category.

Speaking of contributing, I've tried to make the RiskFish as "free" as possible by releasing it under a creative-commons license. You can use it for free; you just can't charge for it, and if you improve it, we ask that you share back to the world. I say "we" because the RiskFish is now formally under the stewardship of the Society of Information Risk Analysts (SIRA). There's no fee to join SIRA, and you can just sign up for the mailing list and get your hands dirty if you want to learn a little bit more about it, talk to people who are using the RiskFish, or even contribute to its evolution.

So feel free to download a .pdf file of the RiskFish from the SIRA website.

Where To Use The RiskFish
I've found using the RiskFish to be really useful in discussions with the business, particularly as a tool to help it sort out its concerns. I've found it useful in Vendor Management discussions, on-boarding new systems, defining red team scenarios, risk scenarios...it's kind of a neat Swiss Army Knife for the risk/security analyst.

Like a Swiss Army Knife, the RiskFish does a little bit of everything. It helps you do a wee bit of threat modeling, control analysis, and impact analysis. The knife isn't going to cut down a tree, but you can whittle something nice with it. The RiskFish isn't a formal threat modeling or risk analysis tool, but it can give you a good idea as to what is important and indicate when it's time to bring out a real tool. The RiskFish is not a tool that's going to calculate your risk, make your world candy canes and unicorns, or protect your network. So far, however, it seems pretty useful for helping you sort your thoughts and helping you identify what's important.

Later, we'll talk about using the RiskFish to create the basis for a risk analysis. Then I thought we'd finish out this series of blog posts by discussing how to use the RiskFish to scope a penetration test, argue an audit finding, and finally, architect a new control framework.

Alex Hutton is Director of Technology and Operations Risk at a largish financial institution. He likes risk and security so much that he contributes spare time to industry groups like The Society of Information Risk Analysts.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-08
A stack-based buffer overflow vulnerability in the management server component of PAN-OS allows an authenticated user to upload a corrupted PAN-OS configuration and potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 8.1 versions before 8.1.13; 9.0 versions be...
PUBLISHED: 2020-04-08
An insecure temporary file vulnerability in Palo Alto Networks Traps allows a local authenticated Windows user to escalate privileges or overwrite system files. This issue affects Palo Alto Networks Traps 5.0 versions before 5.0.8; 6.1 versions before 6.1.4 on Windows. This issue does not affect Cor...
PUBLISHED: 2020-04-08
A format string vulnerability in the Varrcvr daemon of PAN-OS on PA-7000 Series devices with a Log Forwarding Card (LFC) allows remote attackers to crash the daemon creating a denial of service condition or potentially execute code with root privileges. This issue affects Palo Alto Networks PAN-OS 9...
PUBLISHED: 2020-04-08
GitLab EE/CE 8.11 to 12.9 is leaking information on Issues opened in a public project and then moved to a private project through Web-UI and GraphQL API.
PUBLISHED: 2020-04-08
GitLab EE/CE 11.10 to 12.9 is leaking information on restricted CI pipelines metrics to unauthorized users.