Risk Appetite Generator

One of the first questions to ask a client when starting a risk journey with them is to ask what their Risk Appetite is. Sometimes this is an organisational question and sometimes it is a system based one. But always it is a problem.

These appetites are usually six or so discrete statements which fit onto an intuitive scale. Yeah, right.

Recently a client showed me their risk appetite statements and the thing that immediately stood out was that they had one of the appetites at ‘minimal’ and yet it was not the lowest possible setting. I must admit, I wasn’t expecting to hit a Rule 1 violation with a single word statement, and so the pointlessness of the scale gave us comedy gold.

So, the Risk Appetite Generator was born.  As with many of my generators, you can add ?help to find out what settings you can muck about with.

Before you ask, the risk appetites of that client are in the generator.

Daily Enigma Settings

Just what every self respecting crypto nerd needs: a random set of Enigma Settings.  Driven by a very good brownian motion source aka a really hot cup of tea.  Will provide four Rotor selection and sequence, outer ring selection, reflector selection, plugboard settings.  Not pretty.  But random.

Enigma Settings

Excuse Generator

Look, we all have a bad day sometimes and just need to stay foetal in our pits.  ChatGPT is offline and you need an excuse for the day.  I can help with that!

You need (you do not need) the Excuse Generator!  It’s probably best if you do not actually deploy any of these in a battle situation. If you have seen any of the other generators, you will already know how useless this is.

Protective Marking Bingo Generator

The UK government is famous for strange and hard to understand protective marking systems.

The Government Protective Marking Scheme (GPMS) gave way to the Government Security Classification (GSC) in 2013.

At first blush, the reduction from six classifications to just three seemed like a good move.  But they added caveats and handling instructions and sub-classifications, so that the OFFICIAL tier actually dissolved into a series of winces, shrugs and head-scratching when considering applicable security controls.

In honour of the tenth anniversary of the introduction of the GSC (which, by the way, some government departments and arms length bodies have still not implemented),  I present to you the Protective Marking Bingo Generator.

Conspiracy Theory Generator

Some people will believe anything, literally anything.  People so stupid, it is amazing that they remember to breathe. Sadly, they do still seem to be able to pass the procreation practical exam.

Just in case you know just such a person who believes that the world is flat, or that man has not walked on the moon, here I offer you a conspiracy theory generator

Obviously, it generates utter bollocks, but you could probably sell these to a newspaper or even hook in a flat earther long enough to delay them reproducing.

Huntsman Defence Grade Security Information and Event Management

Chuckles Today. SIEM provider Huntsman are still shipping software agents with the two year old log4j vulnerabilities, meaning that your overall inherent risk position is *worse* with their solution that not bothering at all. Huntsman response when you ask them why they are shipping critically vulnerable softweare is to say that it’s not exploitable. Oh, that’s okay then, as long as vendors make ‘not vulnerable’ claims, then the whole world is safe again. Customers should ask them if they will indemnify losses incurred if they do get exploited and then see how long it takes Hunstmans to ship code without 2 year old CRITICAL vulnerabilities 😉

Rule #1: Huntsman Defence Grade Security Information and Event Management: Not defence grade, not secure, doesn’t raise events about it’s own issues, doesn’t provide information about it’s own issues. Not much left in that product name after fixing the violations: “Huntsman mm m mm m m mm m ‘.