Writing Better Risk Statements

I found this post on my computer. I can’t remember where it originally was posted (if it was at all), but I found it useful and thought I’d repost it again.

Articulating risks in a clear and concise manner can greatly
assist your company in making the right decisions. A typical example of poor
communication of risk will go something like this:

You:  New vulnerability called heartbleed. It’s
very serious.

Manager: What is the impact?

You: Anything that uses OpenSSL is
potentially exposed.

Manager: What uses OpenSSL?

You: Everything

Manager: Are we hacked?

You: It’s not that simple.

Manager: Why is this more serious
than the last one?

Let’s look at how we can improve it:

Step 1. Structure
your message

Writing a risk statement is essentially storytelling. When
it comes to figuring out how to structure one, it can often help to look at the
world of news journalism.

There’s this one journalistic trope I really like called the
Inverted Pyramid. This is used by virtually every newspaper in order to better
structure and prioritize the facts of a given story.

Although I’m not telling you to write your risk assessment
like something you would see in the Telegraph or The Times, this is something
totally worth learning, as it’ll make it easier to understand by non-technical
readers. Here’s how it works.

Step 2. The headline

In a piece of text written in the Inverted Pyramid style,
the first paragraph essentially encapsulates the story. It contains the “5
Whys” (Who, What, Where, When & Why). The measure of a successful
first paragraph will be whether it allows the reader to understand the essence
of what’s going on, without having to read any further. If you were talking
about Heartbleed, for example, it might look something like this:

“There
was a vulnerability discovered moments ago called heartbleed. It exists in the
OpenSSL cryptography library, which is used by millions of servers for secure
communication.”

Step 3. Add detail

 The following
paragraphs should then add more detail. The more pertinent the detail to the
event or story, the further up it should appear in your risk assessment. Using
the example of Heartbleed, you’d talk about the consequences of the
vulnerability, and its impact:

“This
flaw could see an attacker steal a server’s private keys, session cookies, and
passwords, and poses a risk to secure online communication worldwide.”

“It
is estimated that around 17% (or 500,000) of the Internet’s secure servers are
vulnerable to Heartbleed. The vulnerability does not affect servers running
other TLS implementations, such as GnuTLS, Mozilla’s Network Security Services,
or Microsoft’s own TLS implementation.”

Step 4. Contextualize

With the pertinent details out of the way, now you have an
opportunity to contextualize the vulnerability before you relate it back to the
reader. Feel free to mention technical details, statements by other IT
departments, or what you know about your environment.

One you’re happy that the reader is sufficiently informed
about how the vulnerability works, and the risk it poses to affected systems,
you should then highlight the relevance to the reader and to the organization.

“This
vulnerability is present in a large percentage of our IT infrastructure.
Presently, there is no known detection or audit mechanism available to
determine if we are being attacked, or were attacked. The fact that our
encrypted traffic could be read by others creates a high risk exposure.”

Step 5. Call to
action

A call to action is essentially what it sounds like. You’re
asking the reader to do a particular thing. In the context of a risk statement,
it might read something like this:

“Right
now, I am going to start an audit of our systems to see the severity of our
exposure to Heartbleed. Once that’s finished, I will start patching
immediately. Please arrange an all-hands meeting later this afternoon.”

The action itself depends on your needs. It could be as
large as asking the reader to assign more funds or employees to a particular
problem, or as small as simply asking them to email you if they have any
further questions.

Whatever it is, if you include all of these elements, your
risk statement will allow you to properly articulate the risk to your readers.
They’re now in a better position to understand the risk, and act upon it.

Step 6. Perfecting
your text

Before you wrap up and pat yourself on the back for a job
well done, ensure that your risk assessment reads well. In addition to getting your
grammar and spelling spot-on, you should always try to make sure your
assessment flows well.

I know it sounds a little bit silly, but try reading your
piece aloud to yourself. Whenever I do, I always catch a mistake that I missed
in proofreading.

If you’re in a crowded office environment where that
wouldn’t be possible, consider using a text to speech program. It has the same
effect.

Although it can be a bit hit-or-miss at times, you might
also want to use an automated proofreading program, like Hemingway Editor or
Expresso App. These free web applications will identify areas of concern in
your writing, such as use of passive voice, overly complicated sentences,
misuse of adverbs, and paragraphs that are too long.

Finally, don’t be afraid to share your draft with colleagues
before sending it to the intended recipients. They might catch something that
you may have missed during editing, or have additional insight and detail to
add to your document.

Conclusion

Putting it all together, our risk statement now looks like
this:

There
was a vulnerability discovered moments ago called heartbleed. It exists in the
OpenSSL cryptography library, which is used by millions of servers for secure
communication.

This
flaw could see an attacker steal a server’s private keys, session cookies, and
passwords, and poses a risk to secure online communication worldwide.

It
is estimated that around 17% (or 500,000) of the Internet’s secure servers are
vulnerable to Heartbleed. The vulnerability does not affect servers running other
TLS implementations, such as GnuTLS, Mozilla’s Network Security Services, or
Microsoft’s own TLS implementation.

This
vulnerability is present in a large percentage of our IT infrastructure.
Presently, there is no known detection or audit mechanism available to
determine if we are being attacked, or were attacked. The fact that our
encrypted traffic could be read by others creates a high risk exposure.

Right
now, I am going to start an audit of our systems to see the severity of our
exposure to Heartbleed. Once that’s finished, I will start patching
immediately. Please arrange an all-hands meeting later this afternoon.

Communicating risk to management and non-technical users can
be an uphill battle. However, by ensuring that details are structured properly
and clearly, you can guarantee that your risk statements will have the maximum
intended impact.


*** This is a Security Bloggers Network syndicated blog from J4vv4D authored by j4vv4d. Read the original post at: http://feedproxy.google.com/~r/J4vv4d/~3/P8qqiDsL_n4/