Archive 27/02/2024.

Tackling security with Wardley Maps


Keeping your company data safe and secure is not an easy task. There are known threats that have well-established standard counter measures, and there are unknown threats, for which we can only prepare in a general way.

It is apparent that unknown threats are uncertain by their nature; we have no clue what they are and how often they can appear. More than that, we cannot predict what will be the damage.

On the map below, you can find a map addressing a number of threats from a security perspective. They form a pipeline meaning that once identified they get more mature (both in terms of hackers sophistication and known counter measures).

In this way, you can easily identify the most critical components - they are those that protect you from most threats. However, implementing all of the security measures will make you only as safe as the industry is. You will not be less vulnerable than your competition.

If you want to be that secure, you need to look at each threat (as on the map below) and identify what is a given exploit constraint. It may be time, it may be computing power or something completely else.

Once you know that, you can design a protective measure that will require substantial use of that component. Think of adding 60 seconds delay after a password is incorrectly typed 3 times - it annoys a few users, but effectively kills most brute force algorithms.

In that way, you can be better than the industry; attacking you will be just economically unreasonable.

Best regards,


Wardley Maps are not only about improving your thought process, but also about collaboration and faster & better communication. This is the feedback I got:

Security from unknown threats is a bit of a masquerade since one of the fundamental truths of the universe is “nothing can protect you from the unk unk.”

— Tál M. Klein (@VirtualTal) April 5, 2018

Instead, consider a map about what is being secured (irather than what it’s being secured from). Are you protecting the endpoint? User identity? User data? The network? Etc... Then, think about where you’re protecting it. At the perimeter? In the cloud? At rest? In motion? Etc...

— Tál M. Klein (@VirtualTal) April 5, 2018


Looked at this a while ago. Possible to map user defensive needs and adversary attack needs, mapping the two together was problematic. More work required on this. Possibly something to learn from multi-agent influence diagrams combined with the directionality of maps.

— Phil Huggins (orac) (@oracuk) April 4, 2018

The first two comments seem to be right on the spot. Indeed, unknown unknowns are not as easy to prevent from happening as I presented in on initial maps, and focusing on what is being protected and where may be the best approach here.

The last comment shows that it is difficult to track a relationship between your company defence plan and hacke value chains. The point is that hacker constraint has to be identified, countermeasure created, and then incorporated into the defence plan.

That looks like something I should implement in the tool (one day GitHub - LeadingEdgeForum/atlas2: A new mapping tool, this time by LEF).


Related links:


And here is a much better approach by Tony Richards