How much risk is associated with a bald tire? It depends...
In this video, Jack Jones walks you through the classic scenario (from his book Measuring and Managing Information Risk: a FAIR Approach) with a lesson about making assumptions and how that affects risk analysis and communication about risk.
Your thinking skills will be challenged -- but it's a great opener for learning the FAIR risk analysis model.
Bald Tire Scenario Video Transcript
One of the tools I use when trying to illustrate to people the challenges we face in risk as a profession, I use this bald tire scenario as a way of driving home some important points
What I do is describe in four simple stages a risk scenario and ask the audience to think about at each stage, how much risk is represented by what I described.
The first stage is to picture in your mind a bald car tire. It’s so bald that you can hardly tell it ever had any tread on it. Think to yourself, how much risk does that represent?
The second stage is the bald tire is tied to a rope hanging from a tree branch. It’s a tire swing. How much risk is associated with that?
The third stage, you look a little more closely and you see that the rope is frayed about half way through below where it attaches to the tree branch. So how much risk is associated with that?
Then finally, you see that it’s suspended over an 80-foot cliff with sharp rocks below. How much risk is associated with that?
When I ask people at that last stage to say is that high risk, medium risk, low risk, almost invariably I get an answer that it’s high risk. Someone could fall to the rocks below if the rope broke.
But exactly as described, there’s very little risk because I haven’t described an asset of any real value. I haven’t described a human being on a swing or kids playing in the area or anything like that. That’s an assumption people make.
That’s the first point I try to drive home with that scenario: a big part of risk analysis in our [cyber risk] field or any field has to do with assumption.
What is it exactly we are analyzing?
What are the key factors and variable in play in this scenario?
And each stage in that scenario when it was just this bald tire that I mentioned, people are thinking wet roads and automobiles with people in them and that’s bad, right?
Then all of a sudden, the second stage: It’s a tire swing so that’s not so scary, right?
Then third stage, I mention there’s a frayed rope so questions begin to arise in people’s heads about that.
And in the last stage, warning bells go off when I mention the cliff and rocks and that sort of thing.
The point is, at each stage, based on some different information, they make different assumptions and have different levels of concern.
The same thing is true in our [cybersecurity] world. If someone says, we have an internet server that has lots of vulnerabilities, warning bells go off.
What’s the value or reliability characteristics of the system or the application? What kind of threat pressure is it under? Are there compensating controls? There’s a whole lot of information that needs to be considered before you can have a defensible risk analysis associated with it.
The point is, bottom line, assumptions are critical.
One of the advantages of FAIR is that it’s a framework for critical thinking and for surfacing assumptions and opening those assumptions to dialogue and debate and examination so that at the end of the day it will stand up when somebody starts poking and prodding at it.
The fact that people have varying answers to the fundamental questions about the scenario is a big problem. If one person’s threat is another person’s vulnerability is another person’s risk, that’s a horrible starting point for any analysis or communication about risk.
We can’t agree on foundational terminology. If we can’t get that straight, then everything else is a crap shoot.
The mental models people operate from in their [so-called] risk analysis – you know, it’s ‘medium’ or whatever the case might be – has a horrible starting point because of foundational definitions and terminology.
One of the ways FAIR helps is it provides clarity around terminology and a way to normalize terminology so when people are having a dialogue, they aren’t having to experience the confusion and misunderstandings that go along when one person’s definition is completely different from someone else’s.
Also, the model provides a way to identify what your assumptions are and surface those so they can be examined and reconciled.
A version of this post was first published April 16, 2016