Seventeen risk scenarios

Risk is perhaps the most overloaded term in computer security, a risk scenario is a negative event we can plan around. This post serves as a demonstration of the diversity of risks.

Its basically a curated theft of info from this post about risk scenarios from badthingsdaily twitter, so go read those.

A pile of scenarios

• Your company is breached, and badguys steal something
• Your company is not breached, but journalists think it is, leading to some crisis comms
• Your users are harassed on the platform you built
• A tornado destroys your data center
• An RCE is found in your software which is used to murder a journalist
• Your company is kicked out of a country, need to exit all people and data asap.
• The software you wrote physically harms, or kills someone
• You lose a lot of money because of a flaw in your software (example from crypto)
• Your software is used to incite an uprising and ultimately regime change (twitter revolution)
• You fail a compliance check, are audited with a vengeance, and as a result penalized by a regulator or government
• Your employees are kidnapped, or doxxed
• You are compelled to do something and can’t. Typically produce evidence for a government, or trial.
• A piece of infrastructure you rely upon is breached, or backdoored.
• A rouge employee deletes everything, or leaks everything.
• You send millions of dollars to the wrong supplier
• You unknowingly leak competitively interesting information for years, user count via auto-incrementing uids, driver capacity (uber, lyft) or financial info. This happens via a software flaw, or maybe just by not shredding/encrypting your servers harddrives upon disposal.
• Your service goes down. It stays down. You earn a reputation for unreliability.