Specifying risk

Talking about risk in the context of testing can sometimes be an abstract exercise. A few years ago, James Bach shared a model with me on how to make it more concrete.

Risk Model

It can be helpful to work the model from either direction. Sometimes, you can start with a specific victim or problem and work backwords to identify more general patterms of threats and vulnerabilities. Or think of a generic threat and work to come up with as many victims as you can.