Thank you to James Meikle for contributing his expertise to support the Demystify Cyber project.
........................
BBQing Risks Steakments
Statements
Risk statements have the power to deliver a
strong message to people from all backgrounds on something bad that might
happen. To be clearly understood common language should be used. There are a
few different ways to formulate risk statements this is just one of the common
ones.
PS: We all need an acronym swear jar!
As I would like to see more powerful messages
and I like Aussie BBQ's. It is time for a combo!
Diving in at BBQs you usually need a story, keep
the interest going use common tongue, use Aussie slang rarely. You tell a story,
and you hope people understand it. Your feedback is provided by still having an
audience and as you practice you get better at it. There is a formular for
success of storytelling – its watchable if you do not do this yourself.
A formula is also needed for successful risk talking.
Let us try a minimal one (in BBQ speak) and yes, I had to change it for the
example – but it is still based on a true story in our very own Gold Coast of
Australia!
“Our family fun day on a whale sighting trip may
be ruined by naughty jet skiers that get too close scaring off whales resulting
in no fun and children in tears.”
This is going to get a bit quirky but let us
try take this apart. My rough translation of talking risk is people trying to explain
the effect of uncertainty against what they want to occur so they can help the
situation.
Event
An event is something that happens due to
something else that disrupts its objective. In this example the objective is
family fun, and the event is a whale sighting tour. Keep it to one event per
statement.
“Our family fun day while on a whale sighting
trip may be ruined”
Cause
The jet skis cannot be linked directly to
kids crying their little hearts out as their effect of being there is scaring
whales. Cause and event can be mixed up if you are not careful – events have
objectives causes do not. There can be more than one cause.
“… by naughty jet skiers that get too close
scaring off whales”
Consequence
The worst examined outcome for the day was whales
not being seen on a (first-time) sightseeing tour with crying kids and ruined
day. I always seem to focus on this one since it is the meaty part of why we
should care about the risk. There can be more than one consequence.
“… resulting in no fun and children in tears”
Okay since my BBQ stories have happy endings
when involving children, I must add this bit…
“The day was saved by instant karma when the
pair were intercepted by the cops waved at by a few really happy children and
camera people. Kids got to see a whale. Day Saved!”
It has been said before we cyber people must
speak many languages but common is the most important.
My quick tips advice
1. Use common language
2. Use specific industry language sparingly - only
if you must (Aussie Slang at BBQs!)
3. Use an obvious formular like:
There is a risk that “Event” occurs that can be “caused by” resulting in “the
bad thing”.
4. Use your voice and read them out loud (take
care of surroundings people)
5. Use the basic one you come up with to build
on what you and add to the narrative.
Break
up the statement using spreadsheeting or other tools to make it easier to
consume if appropriate
6. Use ISACA’s good quality risk statement
questions to sound your content:
What
could happen, Why could it happen, Why do we care.
Helpful
links