Writing Risk Statements in Infosec

March 3, 2016  |  Javvad Malik

How Hackers Can Communicate Like a Hack

You're a security professional. Many of the things you see on a daily basis terrify you. Heartbleed and Shellshock shook you to your core, but that's because you knew how they worked, and how serious their implications were. Nobody had to tell you that these vulnerabilities were big deals.

But the same isn't true for non-technical users, for whom it can be an uphill struggle to understand the risks and issues involved in computer security.

When it comes to communicating about risk, the best strategy you can adopt is to put everything into a written risk statement. Here are some strategies you can use to format the perfect one.

Structuring Your Message: an Example

Writing a risk statement is essentially storytelling. When it comes to figuring out how to structure one, it can often help to look at the world of news journalism.

There's this one journalistic trope I really like called the Inverted Pyramid. This is used by virtually every newspaper in order to better structure and prioritize the facts of a given story.

Although I'm not telling you to write your risk assessment like something you would see in the Telegraph or The Times, this is something totally worth learning, as it'll make it easier to understand by non-technical readers. Here's how it works.

writing a risk statement using the pyramid model from journalism

In a piece of text written in the Inverted Pyramid style, the first paragraph essentially encapsulates the story. It contains the "5 Whys" (Who, What, Where, When & Why). The measure of a successful first paragraph will be whether it allows the reader to understand the essence of what's going on, without having to read any further. If you were talking about Heartbleed, for example, it might look something like this:

"Moments ago, a vulnerability was discovered in the OpenSSL cryptography library, which is used by millions of servers for secure communication."

The following paragraphs should then add more detail. The more pertinent the detail to the event or story, the further up it should appear in your risk assessment. Using the example of Heartbleed, you'd talk about the consequences of the vulnerability, and its impact:

"This flaw could see an attacker steal a server's private keys, session cookies, and passwords, and poses a risk to secure online communication worldwide."

"It is estimated that around 17% (or 500,000) of the Internet's secure servers are vulnerable to Heartbleed. The vulnerability does not affect servers running other TLS implementations, such as GnuTLS, Mozilla's Network Security Services, or Microsoft's own TLS implementation."

With the pertinent details out of the way, now you have an opportunity to contextualize the vulnerability before you relate it back to the reader. Feel free to mention technical details, statements by industry leaders and experts, as well as news coverage here.

One you're happy that the reader is sufficiently informed about how the vulnerability works, and the risk it poses to affected systems, you should then highlight the relevance to the reader and to the organization.

"This vulnerability is present in a large percentage of our IT infrastructure. Presently, there is no known detection or audit mechanism available to determine if we are being attacked, or were attacked. The fact that our encrypted traffic could be read by others creates a high risk exposure."

Then, we would conclude the risk assessment with a "call to action".

Call The Reader To Action

A call to action is essentially what it sounds like. You're asking the reader to do a particular thing. In the context of a risk statement, it might read something like this:

"Right now, I am going to start an audit of our systems to see the severity of our exposure to Heartbleed. Once that's finished, I will start patching immediately. Please arrange an all-hands meeting later this afternoon."

The action itself depends on your needs. It could be as large as asking the reader to assign more funds or employees to a particular problem, or as small as simply asking them to email you if they have any further questions.

Whatever it is, if you include all of these elements, your risk statement will allow you to properly articulate the risk to your readers. They're now in a better position to understand the risk, and act upon it.

Perfecting Your Text

Before we wrap up, let's touch on how to ensure that your risk assessment reads well. In addition to getting your grammar and spelling spot-on, you should always try to make sure your assessment flows well.

I know it sounds a little bit silly, but try reading your piece aloud to yourself. Whenever I do, I always catch a mistake that I missed in proofreading.

If you're in a crowded office environment where that wouldn't be possible, consider using a text to speech program. It has the same effect.

Although it can be a bit hit-or-miss at times, you might also want to use an automated proofreading program, like Hemingway Editor or Expresso App. These free web applications will identify areas of concern in your writing, such as use of passive voice, overly complicated sentences, misuse of adverbs, and paragraphs that are too long.

Finally, don't be afraid to share your draft with colleagues before sending it to the intended recipients. They might catch something that you may have missed during editing, or have additional insight and detail to add to your document.

Communicating Risk Can Be Easy

Communicating risk to management and non-technical users can be an uphill battle. However, by ensuring that details are structured properly and clearly, you can guarantee that your risk statements will have the maximum intended impact.

Share this with others

Get price Free trial