This blog entry was originally written by Alex Hutton

So I’ve been working on something for a while, with the intent to have it be a SIRA work of art - available to the community via SIRA for IRAs to use and abuse.

The idea is relatively simple - take a “Fish” or Ishikawa Diagram for root cause analysis - and apply it to information risk.

So instead of production/manufacturing’s categories of People, Methods, Machines, Materials and so forth, all I did was apply VERIS categories of incident classification - and added a “Controls” tree.

You can grab the PDF version, Visio version or OmniGraffle version. I’ve been using it personally for a while, and while it’s not really earth-shattering, perspective-changing, risk model-arama - I have found that it can be really useful, almost a risk analyst’s swiss army knife.

Please let me know what you think. With this post I give it to you, the Society. If we find it useful - then I hope you’ll encourage others to come to the Society to learn more.

With that - it’s very 1.0. The control branch especially, I’m not proud of. Other considerations (frequency, strength or amount) aren’t quite there for all the trees. But I’d like and appreciate your help if you want to give it.

Google Docs version by Brian Livingston