What could break it (vulnerability identification)¶
Duration: 45-60 minutes
Materials: Asset cards from previous exercise, new cards for vulnerabilities, markers
The exercise¶
For each critical asset, identify specific ways it could fail, be compromised, or become unavailable.
Step 1: Pick an asset (5 minutes)
Start with your most critical asset. Focus on one at a time.
Step 2: Brainstorm vulnerabilities (15 minutes per asset)
Ask: What could go wrong? Think about:
Technical weaknesses: Unpatched systems, weak authentication, no backups, single points of failure, insecure configurations
Process failures: No change control, missing documentation, inadequate testing, poor access management
Human factors: Lack of training, social engineering susceptibility, mistakes under pressure, key person dependencies
External threats: Supplier failures, cyber attacks, natural disasters, regulatory changes, market disruptions
Write each vulnerability on a card. Be specific: “No MFA on admin accounts” not “weak security.”
Step 3: Reality check (10 minutes)
For each vulnerability, ask:
Does this actually exist? (Verify, don’t assume)
Can this realistically be exploited?
Have we seen this happen before (here or elsewhere)?
Remove theoretical or irrelevant items. Keep real, current vulnerabilities.
Step 4: Group by type (10 minutes)
Cluster vulnerabilities:
Technical/infrastructure
Process/operational
People/awareness
Third-party/external
Step 5: Repeat for other critical assets
Work through your top 5-10 assets. You don’t need to analyse everything, focus on what matters most.
Output¶
Vulnerabilities mapped to critical assets
Grouped by type
Verified as current and realistic
Specific enough to address
Common pitfalls¶
“Too abstract” → “Poor security” becomes “No MFA”, “Unpatched servers”, “No monitoring”
“Missing operational risks” → Include process failures, not just technical exploits
“Everything is a vulnerability” → Prioritise. What is most likely to be exploited?