The Bald Tire Scenario

As you proceed through each of the steps within the scenario below, ask yourself how much risk is associated with what’s being described.

Picture in your mind a bald car tire. Imagine that it’s so bald you can hardly tell that it ever had tread. How much risk is there?

Next, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?

Next, imagine that the rope is frayed about halfway through, just below where it’s tied to the tree branch. How much risk is there?

Finally, imagine that the tire swing is suspended over an 80-foot cliff with sharp rocks below. How much risk is there?

Now, identify the following components within the scenario. What were the:

  • Threats
  • Vulnerabilities
  • Risks

Scenario Analysis

Most people believe that the risk is ‘High’ at the last stage of the Bald Tire scenario. The answer, however, is that there is very little probability of significant loss given the scenario exactly as described. Who cares if an empty, old bald tire falls to the rocks below?

Was my question about the amount of risk unfair? Perhaps, and I’ve heard the protests before, “But what if someone climbs on the swing?” and, “The tire’s purpose is to be swung on, so of course we assumed that somebody would eventually climb on it!” Both are reasonable arguments. My point is that it’s easy to make assumptions in risk analysis. In fact, some assumptions are unavoidable because it’s impossible to know every conceivable factor within a risk scenario. However, assumptions about key aspects of the risk environment can seriously weaken the overall analysis.

The second point I’d like to make is that, from any group that goes through the Bald Tire scenario, I’ll typically get several different descriptions of what constitutes the threat, vulnerability, and risk within the scenario. I’ve heard the frayed rope described as threat, vulnerability, and risk. I’ve also heard the cliff and rocks described as threat, vulnerability, and risk. The simple fact is that we, as a profession, have not adopted standard definitions for our terms. In informal discussions amongst ourselves, this may not always be a significant problem, as we typically understand what is meant by the context of the conversation. Consider, however, that physicists don’t confuse terms like mass, weight, and velocity, and financial professionals don’t confuse debit and credit even in informal discussions because to do so significantly increases the opportunity for confusion and misunderstanding. This is important to keep in mind when we’re trying to communicate to those outside our profession particularly to sharp executives who are very familiar with the fundamental concepts of risk where misuse of terms and concepts can damage our credibility as professionals and reduce the effectiveness of our message.

A third point is that you can’t have significant risk without the potential for significant loss. In other words, it doesn’t matter how exposed to harm an asset is, if the asset ain’t worth much, the risk ain’t high. This is because risk always includes a value component. If it didn’t, betting a million dollars would be equivalent to betting one dollar.

A final point is that there’s a tendency to equate vulnerability with risk. We see a frayed rope (or a server that isn’t properly configured) and automatically conclude that the risk is high. Is there a correlation between vulnerability and risk? Yes. Is the correlation linear? No, because vulnerability is only one component of risk. Threat event frequency and loss magnitude also are key parts of the risk equation.

So, what are the asset, threat, vulnerability, and risk components within the Bald Tire scenario? The definitions and rationale are described more specifically further on, but, simply stated:

  • The asset is the bald tire
  • The threat is the earth and the force of gravity that it applies to the tire and rope
  • The potential vulnerability is the frayed rope (disregarding the potential for a rotten tree branch, etc.)

What about risk? Which part of the scenario represents risk? Well, the fact is, there isn’t a single component within the scenario that we can point to and say, “Here is the risk.” Risk is not a thing. We can’t see it, touch it, or measure it directly. Similar to speed, which is derived from distance divided by time, risk is a derived value. It’s derived from the combination of threat event frequency, vulnerability, and asset value and liability characteristics.

Having made an issue of terminology, the following paragraphs introduce and briefly discuss some basic definitions.

Threat

A reasonable definition for Threat is anything (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.

Vulnerability

You may have wondered why “potential” is emphasized when I identified the frayed rope as a potential vulnerability. The reason it’s only a potential vulnerability is that we first have to ask the question, “Vulnerable to what?” If our frayed rope still had a tensile strength of 2000 pounds per square inch, its vulnerability to the weight of a tire would, for all practical purposes, be virtually zero. If our scenario had included a squirrel gnawing on the frayed rope, then he also would be considered a threat, and the rope’s hardness would determine its vulnerability to that threat. A steel cable (even a frayed one) would not be particularly vulnerable to our furry friend. The point is that vulnerability is always dependent upon the type and level of force being applied.

Asset

In the context of information risk, we can define Asset as any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss. The question is often asked whether corporate reputation is an asset. Clearly, reputation is an important asset to an organization, yet it doesn’t qualify as an information asset given our definition. Yes, reputation can be damaged, but that is a downstream outcome of an event rather than the primary asset within an event. For example, reputation damage can result from public disclosure of sensitive customer information, but the primary asset in such an event is the customer information.

Risk

The following definition applies regardless of whether you’re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains:

Risk: The probable frequency and probable magnitude of future loss

In other words “how frequently something bad is likely to happen, and how much loss is likely to result.” As stated above, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.

Other Factors

So, where do the cliff and rocks fit into the risk equation? They aren’t threat agents because they don’t precipitate an event and, clearly, they aren’t vulnerabilities that allow an event to occur. Consequently, these components can be considered secondary loss factors because their existence contributes to the magnitude of loss from an event. A real world example would be the fines and sanctions levied by regulatory agencies following an information security event. The regulations and regulators aren’t the agents that commit a breach, so they aren’t threats in the context of the event. They also aren’t a technological, procedural, or other weakness that allowed the breach to occur. Nonetheless, they play a role in how much loss occurs and therefore must be included in our risk analysis. (Note, however, that there are scenarios in which regulators can be classified as threat agents, i.e., when they perform an audit.)

next: The Bald Tire Metaphor

Posted by Filed in Site Business
15 Comments »

15 Responses to “The Bald Tire Scenario”

  1. Chip Keefer Says:
    January 10th, 2007 at 4:07 pm

    On the right track, but weak example.
    The actual asset is the swing, not the tire. This is not an assumption. It comes from function or purpose. Value is derived from this, which is what makes a resource an ‘asset.’ You cannot discern the value of an asset unless you have discretely defined it. All other labels are derived from an accurate definition of the resource being analyzed. If one does not accurately identify and target this, all other derived information will be weak. The key is observation and asking the right questions. Right perception appears to be the basis of all security, not just risk analysis.

    Thanks.

  2. SSL Links - SSL Information » A Brother in Risk Says:
    January 11th, 2007 at 5:53 am

    [...] A Brother in Risk By I write about risk, threat, and other security definitions fairly regularly. Lo and behold I just read a post by someone else who shares my approach. This is a must read. How did you react to the story?Copyright 2007 Richard Bejtlich Copyright 2003-2007 Richard Bejtlich This entry is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. Leave a Reply [...]

  3. alexh Says:
    February 17th, 2007 at 1:58 pm

    Chip:

    You’re absolutely correct. In fact, “the swing” itself would represent the business process – and as you’ve already divined, risk is best examined in the context of business process rather than a discreet asset.

    However, most practitioners are still worried only about a discreet asset because that’s the context of their scanner output (when a hammer is your only tool, everything is a nail syndrome). As such, the introductory curriculum speaks in these terms. It isn’t until later that we introduce the concept of business processes and risk (crawl, then walk).

  4. Paul Says:
    July 29th, 2007 at 9:20 pm

    I accept the tyre is the asset under some circumstances but if the asset is defined as “what we want to protect” then I’d venture that the asset is anything that relies on the tyre/rope/branch “system”. The assumption that a dangerous swing would be used is not unrealistic and at this point the asset could be a human life and the threat could be the swing itself, rather than the gravity/rocks combination – which is always there and not much of a threat in itself.

  5. AccedlyFreege Says:
    October 27th, 2008 at 10:43 pm

    A good way eh? Sometimes I just have to go with my eclectic bench I have a nice joke for you people! :) What do you get if you cross a hippo and a blackbird? Lots of broken telephone poles!

  6. Eric Says:
    February 23rd, 2009 at 4:13 pm

    The asset is always people (and in a larger context an organization). If the swing is never used and no one ever walks under or around the swing, there is no significant risk to anyone. This is true with information risk as well. If information is lost or posted, or made available in ways it shouldn’t be, there is no consequence unless someone decides to use it to the detriment of the information asset owner. This is what people (and organizations) are really worried about…the THREAT agents. So in general, in order to manage information risk more effectively focus less on the asset itself and focus more on the threat agents (most) and vulenerabilites (second most). Start there and drive scope and focus from the threating uses of the information, not the other way around. So, to re-cap: do not focus on the swing, instead focus on the potential riders of the tire swing and the innocent bystanders standing below and around the swing.

  7. markez linda Says:
    April 13th, 2009 at 4:04 am

    I like this theme you are using… what is it?

  8. Jamie Says:
    September 8th, 2009 at 7:43 am

    Scenario 1:
    Asset: Tire
    Objective: Maintain tire safety
    Threat: Event: Tire falling; Source: gravity
    Impact: Potential damage to tire
    Vulnerabilities:
    1. Placement of tire over 80 foot cliff (increases impact)
    2. Sharp rocks at bottom of cliff (increases impact)
    3. Frayed rope (increases likelihood)

    Scenario 2:
    Asset: People
    Objective: Maintain people safety
    Threat: Event: Falling from swing; Source: Gravity
    Impact: Potential injury to person
    Vulnerabilities:
    1. Placement of tire over 80 foot cliff (increases impact)
    2. Sharp rocks at bottom of cliff (increases impact)
    3. Frayed rope (increases likelihood)

    With either scenario, your risk rating will likely be determined by the value placed on the asset. The first two vulnerabilities will likely shift the impact to the higher end of its scale.

  9. Doug Landoll Says:
    November 16th, 2009 at 8:26 pm

    Scenario 2
    Asset: Tire Swing Trap
    Objective: Lure unsuspecting people into falling onto rocks below
    Threat 1: Potential target will notice dangerous situation
    Threat 2: Do-gooder puts up a “Danger” sign
    Impact: I (the troll who lives at the bottom) go hungry
    Vulnerability: Situation looks rather dangerous on the surface.
    Countermeasure: Make rope look more sturdy than it really is.

    A bit of a silly scenario but the point here is that you can’t even start with risk analysis until you understand the business mission and the objectives of the critical systems.

    Risk assessment is not a cookie cutter approach and a set of threat and vulnerabilities do not affect all customers the same.

  10. vernell Johnson Says:
    March 1st, 2010 at 4:45 pm

    available for exclusive license to manufacture and/ or market uniqe safe revolutionary SAFETY TIRES. no more guessing, deter LOSS OF LIFE new saftety technique visible in all conditions special visibibility at night untrained naked eye sees when to change tires will decrease insurance premiums potential of being #1 tire worldwide easy fit into all existing lines of tires NO MORE BALD TIRES NO MORE PENNY/QUARTER TESTING affordable and needed may we have the opportunity to demonstrate for you or your representative?

  11. Monica Tasson Says:
    March 5th, 2010 at 8:50 am

    I’m glad I know what to look for. It gets quite boring staring at this screen all day but, I found your perspective superbly informative. Might I ask what other Discreet products you use or plan to use?

  12. HyunJung Says:
    March 14th, 2010 at 1:14 pm

    Interesting,these is what I needed.Thanks

  13. Anuncios adwords Says:
    July 22nd, 2010 at 6:40 pm

    Gracias por la info fresco, buen material!
    Introduction to FAIR » The Bald Tire Scenario

  14. cosmetology Says:
    July 29th, 2010 at 6:52 pm

    Interesting stuff you talk about here. Pretty much a one sided argument don’t you think?

  15. Carric Says:
    August 19th, 2010 at 4:51 pm

    It would seem that quantifying’risk’ (or even WHAT the asset/threat/vuln is) is so subjective, that nobody really ever agrees 100%. The right answer seems to be the one supported by the guy who speaks (shouts) with the most conviction. In my experience so far, you risk guys all hate each other, and tell anyone who will listen that ‘those other guys don’t really get it’.

    I like this concept, and my confidence in this field is growing everytime I see the arguing. =)

Leave a Reply