βFortunately/unfortunatelyβ comes to us from improv comedy, and works surprisingly well in threat
modeling. Someone says, βfortunately, X,β and someone else replies, βunfortunately, Y,β and the exercise
continues back and forth. For example, βFortunately, weβre encrypting all this data!β βUnfortunately, we
store
the key in the same directory!β
The fortunately/unfortunately structure provides an opportunity for both playful and serious exploration,
within a very quick demonstration (βtrainingβ) in how it works.
patients can see their medical images online now.
everyone else can, too.
we have a login.
it can be cracked easily. we have brute-force protection.a random code with 15 digits from A-Z, 0-9 is good enough.
patients forget the code.
they have a paper printout.
the printout is given to the wrong person.
healthcare professionals are trained to check the patient's identity before
they handout the printout.an opportunist gets access when they lose the printout.
we have the birth date as another authentication factor.
that won't deter people in the same household.
most people live with people they trust or are well aware that they
have to protect their secrets.
Paths in a tree?
This presentation introduces a way to look at π Fortunately β π Unfortunately,
that
it is basically exploring a
path in a π Fortunately β π Unfortunately tree, where the conversation might
have
unfolded differently at each
node. π
Fortunately β π Unfortunately trees are similar to
attack-defense trees, but
different. In a conversation, the tree is implicit. We need natural language to trace back.
π Super powers
Here's some super powers of π Fortunately β π Unfortunately:
it can be "trained" in 1 minute.it is fun and playful.it is good at finding acceptance criteria for mitigations.it is good at considering mitigation bypasses.it can consider all kinds of "What can go wrong?", not just security.it can unleash the power of language and import all kinds of repertoire. Examples ahead:it can import likelihood considerations by saying
this will never happen.
and challenging Unfortunately to show why this is worth addressing.
it can import feasibility considerations by saying
we won't be able to ship this fancy mitigation together with the feature.
and challenging Fortunately to provide feasible and good enough security.
it can import training and knowledge acquisition by saying
we don't know how to build that kind of thing.
and challenging Fortunately to demonstrate learning opportunities.
π Downsides debunked π
Here's some disadvantages of π Fortunately β π Unfortunately and some ideas how
to
overcome them:
it needs two or more players and I don't have any friends.
it can be played by one player who is good at dialectical self-talk.almost everyone can be a player.you can certainly find one friend if you try.it can't threat model a system that is big enough so that I care.
it works in an Incremental Threat Modeling scenario where we threat model a small increment with a
narrow scope, which is a realistic scenario, especially with a "threat model every story"
approach.it can be used in a Divide & Conquer approach as a Conquer strategy and let the Divide strategy
reduce the scope until it works.it is not the only threat modeling method that exists.it is still good as a starter drug for threat modeling.it is unstructured.
it can be combined with structured approaches, like STRIDE, to provide some guidance. For example, we
might scope upfront that we want to discuss availability.it is transient and easily forgotten.
we can have a transient conversation and still capture the essential learnings.it can be operated as a collaborative writing exercise.it can be recorded, transcribed and post-processed.it needs to be drawn as a tree when written down.
it can be presented flat, when different branches are not that important.we can present a tree as text with indentation like seen here.it is sometimes hard to stick to the system and have a single conversation.
we can have multiple conversations / a forest of trees.it is not directly obvious what are good conversation starters.
we can start with features we devolop, like
now we can X...
or with problems that were reported.
it mixes essentials with ideas, may have irrelevant paths and include wrong turns.
it can be seen as an input for actual decision what is relevant, kept and done.in a transcribed conversation, we can mark relevant things bold or strike-out irrelevant things.it may be too playful for some people to be taken seriously.
we can demonstrate its value by introducing it with a real example from a familiar domain.it lacks obvious support how to easily trace back.
Unfortunately can always jump to a more promising branch by saying
there's another problem: Z
when the current branch is a winning branch for Fortunately.
it is kind of DFSy (depth-first-search-y) when it should better be BFSy (breadth-first-search-y).
that is not a problem when we operate it as a writing exercise.the tree doesn't fit in our head, so we can't backtrace easily and may forget some branches.
???
Conclusion / TL;DR
π Fortunately β π Unfortunately is an exciting method that is particularly
impressive due to its light weight. To operate it seriously,
it needs a few more ingredients: How is it embedded? How do we explore the relevant
branches? How are the results processed? It also works as a collaborative writing exercise that explores
π Fortunately β π Unfortunately forests.