Recent risk research shows that the new new threat are cyber werewolves which can cost companies millions in damages every month! (This research sponsored by the Silver Firewall Group LLC.)
According to the Bad People Project, bad people carry knives and guns. Bad people make explosions. Bad people burn down houses. Bad people have mean-looking dogs. Bad people wear masks.
Bad people wear ripped or patched clothing. Bad people don't shave. Bad people have sharp teeth. Bad people are giants. Bad people wear black. Bad people are ghosts or vampires (but nobody tell those Cullen groupies!).
"But bad people look like everybody else, don't they?" the father of one nine-year-old girl informs us that she asked before she sat down to draw what she thought a bad person would look like.
Interestingly, the point of a risk assessment is to determine vulnerabilities, assets, and threats. So why does a 9-year-old know what so many security professionals don't? Why does she realize that imagining what the threat looks like is just an exercise in creativity, not prediction?
Even though she is doing what they do- aggregating all the sources of bad things she knows about from authority figures, media, first hand experiences, and anecdotal evidence- she still is able to determine something they can't. That is that you can't predict the threat reliably and therefore you can't determine it.
You especially can't determine if it will be a threat to everyone: E-mail newsletter for you is my SPAM and your SSH authentication process might buckle under brute forcers while mine ignores them gracefully.
However your secretary may be the cat's pajamas but maybe mine is the queen of not verifying the e-mail addresses when sending mails, a threat with potentially cataclysmic results for my business. Threats are not the same for everyone nor do they actually affect us all the same. So why do we put up with risk assessments?
The Bad People Project is a new effort from the open, security research, non-profit, ISECOM that is trying to compile how kids of different regions, cultures, and norms think about bad people.
This will allow for a better message to kids and an updated and better security and safety rules which don't conflict and that kids can take through life and apply everywhere whether on the street or online and regardless what the threat could be: a fire, a bully, or an abusive authority figure in their lives.
The project doesn't guess what the next big risk for kids will be. It doesn't need to predict the next Internet cyber-threat for kids because the safety and security that the kids will learn can be applied anywhere.
Having children think about what a bad person looks like is not an exercise in determining threats but rather an exercise in figuring out how to shape the message in a way they can all understand.
The risk-assessors should take a clue on that technique. Rather than using their predicting skills to make defenses, they should use that creativity to shape current messages instead. The means for building security and safety should never change with the threat but rather it should grow with interactions just like with children.
As children grow and get more interactive with the world around them, they are in more and more danger of something happening, even if it's falling down stairs. As a server gets more and more interactive with the public, it suffers the same fate. Make rules to control interactions and your servers and children will be safer.
Now somebody loan me the latest cyber threat hype so I can slip my message into the media and get people to understand it.