top of page
  • Writer's pictureA&P

Visualizing Risk

It can be challenging for people to understand risk. As cybersecurity engineers we can say xyz is a high risk, but all to often non-security people can not comprehend. They often think that no one will bother them. They do not understand there are a variety of attackers out there. Some are just waiting for the right time. Some are opportunistic and are always checking to see what they

can do. People do not always understand they have to be on guard at all times.

One thing that sometimes helps is to draw out an attack tree. This is a roadmap for how someone can attack you so be careful with it. It can not fall into the wrong hands.

Attack trees can help with the visualization. You can think about it like you might think about protecting your house. If a thief wanted to steal your jewelry what would they have to do? Then you can depict that on the diagram.

In the example of the thief you can show in your diagram that the thief might have to go through a fence. Perhaps you have dogs. They have to get through a window or door that is always locked. They have to get through the home security system. You can visualize all the layers of security that is between the thief and the jewels. You might also put in costing information. How much does it cost you for that protection both upfront and ongoing? What would a thief need to bypass? How much is it costing the thief? What type of thief is likely?

Understanding the type of adversary you are facing gives you an idea about what resources they are willing to spend. If your facing a nation state attacker their resources are virtually unlimited. If your facing a script kiddie, they do not necessarily have a lot of resources and are probably going after the easier target.

By drawing things out you can see what you might have missed. There may be an obvious path an attacker can take that is not secured. Do not get caught in the trap of thinking of cybersecurity as only relating to computers. An attacker can walk into your office. An attacker can call you up on the phone. Your cybersecurity program needs to be comprehensive.

32 views0 comments

Recent Posts

See All


bottom of page