A fun way to get a room talking about potential issues and challenges (haha),a group thinking and a journey of expanding thoughts, to concerns and considerations for a satisfying cup of tea...

This can be an excellent pre-workout for getting heads in the right space for the real target (whatever that important project is called) the group will learn and feel value in their participation in bringing a new angle to a risk or concern, however useful, creative or not.

What can go wrong when making a brew ?

Don't do the work for them, but nudge them into the gaps if they feel they've exhausted their thinking

Here's where I got too... (incase you need fodder)

Threat Identification

• Hot Water: The risk of scalding oneself if not handled carefully.
• Teabag: The possibility of using expired, counterfeit or contaminated tea leaves.
• Sugar: The potential health risks associated with excessive sugar consumption, content quality, (cutting sugar with another compound).
• Milk: The chance of using spoiled, contaminated or expired milk.
• Spoon: The risk of accidentally ingesting foreign objects if not properly cleaned.
• Kettle: The danger of electrical hazards or malfunctioning equipment.
• Tea Cup: The possibility of using a fragile or cracked cup that could cause injury or bad design that makes it unbareable to hold.

Risk Assessment

• Hot Water: Implementing measures to prevent burns, such as using heat-resistant containers and handling tools.
• Teabag: Ensuring the tea leaves are sourced from reputable suppliers and regularly checking for expiration dates, authenticity and contamination free assurances.
• Sugar: Encouraging moderation and providing alternative sweeteners for those with dietary restrictions, ensuring the sugar is sourced from reputable locations, sample testing and external validation of content quality, or certification.
• Milk: Regularly inspecting and monitoring milk quality, and promptly discarding any spoiled or contaminated products.
• Spoon: Promoting proper cleaning and sanitation practices to minimize the risk of foreign object ingestion.
• Kettle: Regular maintenance, electrical safety checks, and having backup equipment in case of failure.
• Tea Cup: Using sturdy and non-toxic cups, inspecting for cracks or damage before use and make sure that the cups are tolerant to an appropriate amout of heat.

Sourcing of Raw Materials

• Hot Water: Ensuring access to clean and safe water sources.
• Teabag: Establishing relationships with tea suppliers from diverse regions to mitigate risks associated with regional challenges, such as climate change, agricultural issues, and logistics disruptions and buyer lockins.
• Sugar: Diversifying sugar sources to reduce dependency on specific regions and address challenges related to global warming, agricultural practices, and supply chain vulnerabilities.
• Milk: Implementing quality control measures and contingency plans to address issues related to milk production, transportation, and storage, considering factors like climate change, animal health, and regional conflicts.
• Spoon: Ensuring the use of high-quality materials and establishing supply chain transparency to mitigate risks associated with geopolitical tensions, trade disputes, and counterfeit products.
• Kettle: Identifying reliable manufacturers and suppliers, considering factors like product safety standards, geopolitical risks, and potential disruptions in the manufacturing process.
• Tea Cup: Collaborating with reputable ceramic or glassware producers, considering factors like material sourcing, manufacturing practices, and potential challenges related to regional conflicts or trade restrictions.

Economic and Operational Considerations

• Cost and Changing Cost: Regular monitoring of market prices and employing hedging strategies to manage financial risk due to price volatility.
• Buying in Bulk: Balancing bulk purchasing advantages with potential risks such as spoilage and storage issues through optimized inventory management.
• Rate Limiting: Establishing buffer stocks and maintaining flexible supplier agreements to manage demand spikes effectively.
• Insider Threats: Implementing strict security measures like access controls, regular audits, and employee training to protect against intentional or negligent harm from insiders.

Business Continuity

• Developing contingency plans for raw material shortages, geopolitical tensions, natural disasters, and other unforeseen events that may impact the availability and quality of hot water, teabags, sugar, milk, spoons, kettles, and tea cups.
• Establishing alternative sourcing options and maintaining relationships with multiple suppliers to ensure a consistent supply chain.
• Regularly reviewing and updating business continuity plans to adapt to changing geopolitical, environmental, and economic conditions.
• Collaborating with industry associations, experts, and relevant stakeholders to stay informed about emerging threats and best practices in the tea-making industry.

Responsibilities Mapping

Every business function plays a role in mitigating risks and ensuring safety. Imagine yourself in a leadership role—where would you allocate responsibility, and why? Could cross-functional teams share ownership of safety outcomes? Gamify your decision-making by considering potential outcomes of different allocation strategies.

Drawling a line

I know the list is a bit overkill, for example the procurement of materials isn't really the responsibility of the person 'making the brew' but it is a responsibility for someone if the ability to have a brew and make one is to exist.

You'll notice I didn’t mention smart-kettles or smart-fridges—I could go on. The point here was to take a simple task and highlight how, at a high level, "just make a cup of tea" is technically accurate, but only scratches the surface. Where a high-level design (HLD) exists, a low-level design (LLD) must follow. Whether it gets the attention it deserves is another matter, accountability is important, as is accuracy of that accountability.

The real understanding lies in understanding whatcan be done, what should be done, and what isn't viable. Everything we covered above exists beyond just cyber (my usual domain), yet its impact and effects ripple into it. The key takeaway? These challenges belong to someone, and responsibility must be assigned accordingly, get that shit down on record, if it's someone's responsibility, make sure they know it is, if they have too much work, you're doing them a favor by pushing that conversation they need to have about additional resource, don't feel bad for overloading teams, it's exactly what they need to have the conversation of growth and the budget needed.

We all know the saying 'not my monkey, not my circus' but often it's closer to 'not my monkey but my circus'

Excellent Threat Model resources

How to approach threat modeling | Amazon Web Services

April 25, 2023: We’ve updated this blog post to include more security learning resources. August 3, 2022: Conclusion updated to reference the AWS “Threat modeling the right way for builders” workshop training. February 14, 2022: Conclusion updated to reference the companion “How to approach threat modelling” video session. In this post, I’ll provide my tips […]

Amazon Web Services

Threat Modeling - OWASP Cheat Sheet Series

Website with the collection of all the cheat sheets of the project.

logo

Threat Modelling

How threat modelling can help inform risk management decisions and cyber security risk management control choices.