Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:18 PM
Alex Hutton
Alex Hutton

Introducing: The RiskFish

In this first article, I'd like to give you a simple tool to help you better understand and categorize risk and security scenarios. We call it "The RiskFish" -- and it's free to use

"I'm having a hard time figuring out where our risk really is here..."

If you've ever had an interesting audit finding, threat scenario, risk analysis, or generally found yourself needing to try to help the business sort thrugh its thoughts about exactly what's going on, then this blog post is for you.

Before we dive in, I should introduce myself. I am a risk manager. My name is Alex, and I work for a largish financial institution where I am a director of technology and operations risk. My information security/risk management background comes from my previous work in risk intelligence at Verizon, where I was part of the Data Breach Investigations Report (DBIR) team, working with Jack Jones setting up IRM/ERM shops and teaching FAIR, and working with Brent Huston doing OCTAVE/NIST stuff "way back" in the 2001-2005 time frame. Prior to that, I was a product manager for a firewall/VPN solution for five years.

So in the past 10 years I've been working around information risk management, I've learned that security and risk are pretty complex. In fact, I don't think it would be a stretch to say that we're working with complex adaptive systems in our profession. This complexity makes it challenging to understand risk, and it can mean that we have difficulty communicating risk.

The good news is that, in my experience, once you have some formalization around definition and modeling, risk management becomes 80 percent communication methods. So in this inaugural series of posts, I'd like to share with you a little tool to help risk and security folks communicate the situation at hand. I call it "The RiskFish."

What Is The RiskFish?
The concept is simple: Take an Ishikawa or Fish Diagram that was originally created for root cause analysis in manufacturing, and then hack it up a bit so that it works for security and risk. The means to provide clarity and definition? We'll use VERIS, the community licensed/released framework used by Verizon to create the DBIR. So where a manufacturing root cause analysis is going to include categories such as Personnel, Materials, Measurements, Environment, Methods, and Machines, we will use the following:

(business unit or victim) Demographics
(threat) Agents
(threat) Actions
(business) Assets
(security) Controls
(security) Attributes
(financial) Impacts

How To Use The RiskFish
Basically, the RiskFish is a brainstorm tool. It's designed to help you sort out your thoughts. You simply take whatever scenario you're looking at -- identify categorically which part of the fish diagram you're talking about (click on it to enlarge) -- and use VERIS to clarify all of the risk elements you think you might want to consider. I've found that VERIS provides pretty good definition and clarity; it has been used to describe thousands of incidents in Verizon's DBIR. Because Verizon has used VERIS for years, anything you think of should be able to be identified and described using the tool. If you come up with something unique and not covered in VERIS, then the community nature of VERIS means that you can contribute to the XML schema and definitions at the VERIS community website.

So using VERIS, what the diagram does is help you identify a high-level category to discuss what you're thinking about. If I'm worried about malicious insiders, for example, I would go to the Agent branch and write down "insider." Then, if I wanted to get more specific, the VERIS community website has metadata associated with "insider." So I might write down "insider - privileged - auditor" if I wanted to describe a specific case where I'm worried an audit might go rogue. Maybe then I'd match up an action of "Misuse" and circle some of the impact categories that I think might apply. I can do more threat modeling in the bottom part of the diagram, picking actions against assets, attributes that would be compromised, and so forth. And it's totally OK to have more than one thing appear in any one branch; again, this is brainstorming. The important part is to get it all down on paper and then start identifying relationships and connections between the branches.

All of this classification metadata you can associate with these top-level categories can be found at the VERIS Community website, except for controls. For now, that branch is "young," and I would welcome industry contributions to help mature that (or any other) category.

Speaking of contributing, I've tried to make the RiskFish as "free" as possible by releasing it under a creative-commons license. You can use it for free; you just can't charge for it, and if you improve it, we ask that you share back to the world. I say "we" because the RiskFish is now formally under the stewardship of the Society of Information Risk Analysts (SIRA). There's no fee to join SIRA, and you can just sign up for the mailing list and get your hands dirty if you want to learn a little bit more about it, talk to people who are using the RiskFish, or even contribute to its evolution.

So feel free to download a .pdf file of the RiskFish from the SIRA website.

Where To Use The RiskFish
I've found using the RiskFish to be really useful in discussions with the business, particularly as a tool to help it sort out its concerns. I've found it useful in Vendor Management discussions, on-boarding new systems, defining red team scenarios, risk scenarios...it's kind of a neat Swiss Army Knife for the risk/security analyst.

Like a Swiss Army Knife, the RiskFish does a little bit of everything. It helps you do a wee bit of threat modeling, control analysis, and impact analysis. The knife isn't going to cut down a tree, but you can whittle something nice with it. The RiskFish isn't a formal threat modeling or risk analysis tool, but it can give you a good idea as to what is important and indicate when it's time to bring out a real tool. The RiskFish is not a tool that's going to calculate your risk, make your world candy canes and unicorns, or protect your network. So far, however, it seems pretty useful for helping you sort your thoughts and helping you identify what's important.

Later, we'll talk about using the RiskFish to create the basis for a risk analysis. Then I thought we'd finish out this series of blog posts by discussing how to use the RiskFish to scope a penetration test, argue an audit finding, and finally, architect a new control framework.

Alex Hutton is Director of Technology and Operations Risk at a largish financial institution. He likes risk and security so much that he contributes spare time to industry groups like The Society of Information Risk Analysts.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue