CISO Tradecraft® Newsletter

Share this post

CISO Tradecraft® Newsletter
CISO Tradecraft® Newsletter
Stop Chasing Shadows: How CISOs Can Radically Simplify Risk with the Includes No Dirt Model
Copy link
Facebook
Email
Notes
More

Stop Chasing Shadows: How CISOs Can Radically Simplify Risk with the Includes No Dirt Model

CISO Tradecraft
Jan 29, 2025
2

Share this post

CISO Tradecraft® Newsletter
CISO Tradecraft® Newsletter
Stop Chasing Shadows: How CISOs Can Radically Simplify Risk with the Includes No Dirt Model
Copy link
Facebook
Email
Notes
More
1
Share

Are you tired of risk assessments that feel like endless, fruitless expeditions? Do you dream of a world where security, privacy, and compliance work together seamlessly, instead of clashing like cymbals in a marching band? Then, it's time to ditch the outdated approaches and embrace the Includes No Dirt threat modeling framework—a surprisingly agile and effective method for simplifying risk management and focusing your team's efforts where they matter most.

Please subscribe for more great content

From Frustration to Framework: The Birth of "No Dirt"

The Includes No Dirt model didn't emerge from an ivory tower, but from the trenches of a digital healthcare company, Omada Health. Bill Dougherty, Omada’s CISO, and Patrick Curry, VP of compliance, found themselves wrestling with traditional threat models that were either too narrow (like STRIDE, focused on technical threats) or too siloed (like Linddun, concentrating on privacy). They needed a comprehensive, yet nimble approach to tackle the complex, interconnected risks in healthcare. So they created their own in 2019.

Existing models, like STRIDE which focuses on technical aspects like spoofing, tampering, and denial of service, and Linddun, which is more focused on privacy issues like linking, identifiability, and data disclosure, didn't cut it. Dougherty and Curry needed a model that could handle the dynamic interplay of security, privacy, and compliance, especially within the healthcare industry. They also needed something that was fast and repeatable. Their goal was to model a system that could be anything from a new app to an entire M&A target, and to do it quickly.

The Power of "Yes" or "No": How to Speed Up Your Risk Assessments

The brilliance of the Includes No Dirt model lies in its simplicity and speed. Instead of lengthy, open-ended questionnaires, it employs a series of targeted, "yes" or "no" questions to evaluate whether a system meets established controls and standards. Think of it like an object-oriented approach: if a new SaaS vendor integrates seamlessly with your existing, robust multi-factor authentication system, you don't waste time re-modeling that specific component. This allows CISOs and their teams to focus on new and complex areas rather than reinventing the wheel.

This approach isn't just about speed; it's about consistency and repeatability. Whether you're assessing a new application, network infrastructure, or a potential merger, the model provides a consistent methodology to capture risk in a structured, repeatable, and scalable manner. It is also very flexible. The model can be applied to:

  • New applications

  • Network infrastructure

  • SaaS vendors

  • Mergers and acquisitions

  • Third party vendors

Prescriptive Recommendation for CISOs:

  • Implement a "yes/no" question-based system: CISOs should transition their risk assessment processes from open-ended questionnaires to structured "yes/no" questions based on pre-existing controls, ensuring consistency and speed.

  • Establish a central repository: CISOs should establish a repository with a list of systems, vendors and M&A targets, which can be easily updated and tracked.

Beyond the Technical: Incorporating Privacy and Compliance

While rooted in technical security, the Includes No Dirt model also recognizes that security does not exist in a vacuum. It also incorporates privacy and compliance. This makes the model especially useful in regulated industries like healthcare. The model's output is designed to be human-readable, ensuring that all team members (technical and non-technical) understand a system's key goals and principles. This facilitates cross-functional collaboration and breaks down the silos that often plague risk management.

The model uses a scoring mechanism where lower scores indicate a lower risk. This allows CISOs to triage their efforts and concentrate on high-risk areas. The model's creators emphasize that the purpose is not to replace compliance frameworks. Rather, the model assesses systems against an organization's internal control framework, which, in turn, is guided by compliance requirements. For example, because HIPAA requires encryption at rest and in transit, the model includes related questions.

Prescriptive Recommendations for CISOs:

  • Integrate compliance requirements: CISOs should ensure that their risk assessment models are directly tied to their regulatory obligations. This could include HIPAA, PCI DSS, or other relevant standards.

  • Promote cross-functional training: CISOs should promote training programs that teach a risk taxonomy, enabling both technical and non-technical personnel to be able to communicate about risk using the same vocabulary.

Decoding the Acronym: The 14 Pillars of "No Dirt"

The acronym "Includes No Dirt" is not just a catchy name; it represents 14 key areas that should be considered during a risk assessment:

  • Identifiability: (Privacy) Ensuring data cannot be used to identify an individual.

  • Non-repudiation: (Privacy) Preventing denial of actions.

  • Clinical error: (Compliance) Avoiding mistakes in healthcare processes.

  • Linkability: (Privacy) Preventing the connection of different data sets to reveal information.

  • Unlicensed activity: (Compliance) Preventing activity from those without proper credentials.

  • Denial of service: (Security) Ensuring system availability.

  • Elevation of privilege: (Security) Preventing unauthorized access.

  • Spoofing: (Security) Preventing impersonation.

  • Non-compliant to policy or obligations: (Compliance) Adhering to company policies.

  • Overuse: (Compliance) Using only the necessary amount of data.

  • Data error: (Security) Maintaining data integrity.

  • Information disclosure: (Security) Protecting data confidentiality.

  • Repudiation: (Security) Preventing denial of actions with a security focus.

  • Tampering: (Security) Preventing unauthorized data modification.

The model also includes a "miscellaneous" category for risks that don't fit neatly into the acronym, such as physical, environmental, criminal, and disaster risks.

Prescriptive Recommendation for CISOs:

  • Customize and adapt the model: CISOs should customize and adapt the "Includes No Dirt" acronym to include risk concerns that are specific to their organization and industry.

  • Incorporate emerging risks: CISOs should proactively incorporate emerging risks like AI into their threat models.

Third-Party Risk: Turning Questionnaires Into Action

The Includes No Dirt model is particularly effective for third-party risk management. In today's world, where organizations rely heavily on SaaS vendors, assessing vendor risk is paramount. The model provides a way to evaluate and score vendors, identifying potential issues before a contract is signed. The model helps to streamline those dreaded security questionnaires. Instead of asking a laundry list of questions, it focuses on questions that could lead to a business decision.

Prescriptive Recommendations for CISOs:

  • Prioritize meaningful questions: When evaluating vendors, CISOs should focus on questions that would genuinely affect their business decisions, rather than asking generic questions that don't elicit meaningful answers.

  • Use risk assessments for negotiation: CISOs should use the insights from the risk assessment process to negotiate better terms and conditions with vendors, such as data locality or authentication requirements.

  • Use a risk scoring mechanism: Implement a risk scoring system to be able to rank vendors from riskiest to least risky.

  • Use a checklist to evaluate vendors: Use a simple checklist or questionnaire when evaluating vendors to maintain consistency.

AI's Brave New World: Adapting to the Unknown

The security landscape is constantly evolving. The model is being adapted to incorporate emerging risks related to AI. Traditional security practices are being challenged by model training, which requires real data, blurring the lines between development and production. This means CISOs need to consider how to protect sensitive data when training AI models, and how to address the "minimum necessary" principle, which says that only the minimum necessary data should be used for a specific purpose.

Prescriptive Recommendations for CISOs:

  • Rethink traditional development: CISOs should re-evaluate traditional development practices to incorporate AI model training, especially when training data involves sensitive or private information.

  • Determine data minimization: When training AI models, organizations must establish what constitutes the minimum necessary amount of data.

It’s Your Model: Making It Work for You

The Includes No Dirt model is not a rigid, one-size-fits-all solution, and is designed to be easily modified by anyone. It's intended to provide a starting point for organizations to customize it to their specific needs. Think of it as a "choose your own adventure" framework that guides you to analyze risks and adapt the model to your environment.

One of the key takeaways from the creators of the model is the importance of using a solid and shared taxonomy. Compliance and security teams often use the same words with different meanings. Having a common language is key for repeatable and scalable modeling. For example, it’s critical to distinguish between threats, vulnerabilities, and risks. According to the model, a threat is an actor, while a vulnerability exposes an asset to a threat, and an attack vector is the method the threat uses to attack a vulnerability.

Prescriptive Recommendations for CISOs:

  • Develop a risk taxonomy: CISOs should develop a comprehensive taxonomy of risk terms within their organization, so that everyone has a common understanding of key terms like threat, vulnerability and risk.

  • Encourage active participation: CISOs should encourage their teams to use, modify, and improve upon the Includes No Dirt framework to make it more effective for their unique situations.

Take the Leap: Start Ditching the Dirt Today

The Includes No Dirt model offers a practical and powerful way to streamline risk assessments, especially for those who are still relying on outdated and inefficient methods. By focusing on repeatability, speed, and adaptability, this model is a game-changer for any organization looking to enhance security, privacy, and compliance.

Ready to stop chasing shadows and take control of your risk? Download the full paper at http://www.includesnodirt.com/nodirt.pdf and discover a new era in risk management.

Big Thanks to our Sponsors:

ZeroPath - https://zeropath.com/


CruiseCon - Use code CISOTRADECRAFT10 at https://cruisecon.com/ for 10% off registration!
2

Share this post

CISO Tradecraft® Newsletter
CISO Tradecraft® Newsletter
Stop Chasing Shadows: How CISOs Can Radically Simplify Risk with the Includes No Dirt Model
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2025 Substack Inc
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More