In FAIR risk management, numbers don’t lie. A quantitative approach in solving potential problems uses precision and structure to its advantages. Information risk may be a complicated subject to tackle, but with the help of FAIR, this can be understood in business or financial terms.
History of FAIR
Jack A. Jones developed the risk management framework that became FAIR or Factor Analysis of Information Risk. It has evolved into a measuring and analytical system for understanding operational and cybersecurity risk.
This analysis includes the evaluation of available options that can cause risks in an organization. Explanations of the analysis are also provided. Conclusions that arise from these findings are defensible.
Jones created the book Measuring and Managing Information Risk, a FAIR Approach to detail this risk management framework’s specifics. With its induction in the Cybersecurity Canon, the book has cemented its place as a bible for information risk managers.
To create FAIR risk management practices, the FAIR Institute was created as an expert non-profit organization. It is dedicated to advance the discipline of measurement and management of information risk.
They can also provide organizations with resources on innovations and best practices.
The Framework of FAIR
Logic is the primary feature of Factor Analysis of Information Risk. It starts with an ontology of factors that comprise risks. It then delves into the various relationships of these risks with each other.
Quantification is the next crucial element of the framework. There are various means to conduct FAIR risk analysis:
- A mathematical simulation of risk relationships with measurable factors with the use of a computational engine. The Monte Carlo Analysis is an example of this.
- The building and analysis of risk scenarios using a scenario modeling construct.
The Pitfalls that FAIR Risk Management Can Avoid
Risk analysis with no system in place will not effectively respond to situations that can drastically affect an organization. Here is a rundown of potential scenarios that FAIR can prevent:
- Disjointed internal communication
- Poor management scales
- Incorrect mathematical estimates
- Less focus on the probability of scenarios
- Inferior definitions of scope
- Substandard determination of risk relationships
The correct FAIR framework is essential to getting optimum results. Below is a flow chart of an effective system in place:
- Accuracy of the factor analysis model.
- Vital statistics for measuring risks.
- Comprehensive comparisons of data.
- Decisions based on correct information.
- Risk management anchored on cost efficiency.
Focus on Assets
When it comes to risk management, an asset is defined as anything that can be affected and less valued. It can also be any object or possession that can cause liability in an organization when managed improperly.
The risk is determined in the FAIR framework as the probable frequency and magnitude of a future loss tied to these assets.
Six Types of Losses
The losses that risk management is trying to avoid can be classified into various categories:
- Response. These are resources that are wasted after responding to an incident.
- Replacement. This is the cost of substituting a damaged or compromised asset.
- Productivity. These are losses that occur to create services of goods because of a realized risk.
- Fines. These are legal procedure costs that originate from an adverse event.
- Competitive advantage. Lost opportunities that arise because of security incidents.
- Reputation. This refers to the negative impact that a corporate brand suffers because of a loss.
Handling of Threats
A threat is a force that can directly interact and harm assets to cause a loss. They can either be an agent or a community. Threats are the subject of risk analysis.
Agents are typically grouped into Threat Communities. Analysis of these communities can result in a better system of evaluation of loss magnitude. These are the various ways threats can affect assets:
- Disclosure. This refers to a threat that enabled other unauthorized access to the vital data of an asset.
- Access. This is the exposure of an asset without sufficient credentials.
- Misuse. This pertains to the tampering of an asset and using it differently other than its intended design.
- Modification. This is what happens when there is an unauthorized configuration of an asset.
- Access denial. This is the modification of an asset that blocks legitimate users from accessing the asset.
The following are noted examples of threat communities as documented in the past:
An effective strategy against these threat communities is profiling. It is a technique that enumerates the typical characteristics of an organization for better guidance. Some capabilities that can be noted in a threat community include motivation, risk tolerance, collateral damage, targets, and sponsorship.
The Quantification of Risks
With its focus on analysis, FAIR makes it easier to understand risk by applying mathematical principles. By treating risk as numbers, experts will have a better time finding these risks’ relationships.
It is essential to understand several terminologies that are associated with Factor Analysis of Information Risk.
- Possibility. It is a simple binary wherein a situation will happen, or it will not.
- Probability. This is the continuum between certainty and impossibility.
Risk management does not talk in terms of possibility. It deals with probability out of a specific set of events. An example of this is the rolling of a dice. At most, there are six probable outcomes when it lands. The probability of an outcome is one for every six.
It is important to note that probabilities are not predictions. Even if there are six probable outcomes for a dice’s landing, the analysis can’t predict where it will land.
Numerical terms that are involved in risk management must be expressed both with accuracy and precision. Consider the difference:
- Accuracy. This is the ability to supply the correct information.
- Precision. This pertains to the ability to be exact.
Precision does not create any estimates and expresses numerical values as it is. This does not mean the value is accurate. This is why quantification aims to get the accuracy first and endeavor to express the data as precisely as possible.
Measurements and the Clarification Chain
For risk measurements, several pointers are encapsulated in the clarification chain. For instance, if the risk aspect is essential, there will be a means to observe or detect it.
Loss Event Frequency
Measurements are defined in the FAIR framework as a reduction of uncertainty that can be quantified. The measurement does not have to be perfect, but it has to be accurate and precise to create an informed decision.
If the situation can be detected, it can be registered as a measurement or as a range of possible amounts. Ranges tell a narrative of the potential of the risk. It provides guidance about the extent of probabilities.
What are the examples of loss events? For instance, if the perceived threat agent is a hacker or a cybercriminal, the probable loss is the loss of sensitive company information.
The correct way to gauge the frequency of this loss event is to measure how likely it can happen in a year.
This quantifies the probability of the threat agents or community gaining access or contact with the asset. It can either be a logical or physical contact.
There are typically three means by which threat agents establish contact with assets:
- Intentional targeting
- Synchronization with a routine
- Random attack
Probability of Action
Once the threat agent has made contact, the probability of action tackles the likelihood that an effort will be made against the asset.
This measurement only applies to threat agents and communities that can think, reason and rationalize. It does not encompass random acts of nature, such as calamities or catastrophes.
The driving factors behind the probability of action include the following:
- Value of the threatening action from the perspective of the threat agent
- Level of effort or cost to complete such undertaking
- The risk faced by the threat agent
This quantifiable measurement expresses the probability that an agent’s action will result in a significant loss.
This is measured in terms of percentage. For instance, an asset in the direct line of a hurricane has a 100 percent probability of incurring a loss. There is a 100% probability that a broken lock is vulnerable to physical tampering.
A robust risk management program will yield measurements such as the following on the other end of the spectrum. A strong password has a 1% probability of being hacked using brute force techniques.
Threat Capability and Difficulty
These are another subset of risk measurements that fall under vulnerability.
- Threat Capability. This discusses the skills and resources of a threat agent or community. It is usually expressed on a percentile scale from 1 to 100.
- Threat Difficulty. This is the resistance that a threat agent must overcome to succeed in creating a loss.
These quantifications are a means of gauging how dangerous the risk can be when left to its own devices. Knowing the threat difficulty enables decision-makers to come up with measures to overcome these challenges.
For example, malicious attacks can be presented with resistance controls such as a more complex authentication or better encryption to increase the threat difficulty.
Resistance can come in consistent training for potential human errors, more thorough documentation, or a more streamlined process flow.
This variable is the quantification of the possible effects that will happen should an actual loss will materialize. It can have levels varying from primary to secondary effects, depending on the scope of the damage.
- Primary stakeholders. They are typically the owners of the asset and the primary target of threats. Losses can have a severe impact on the overall health of the asset and the organization as a whole.
- Secondary stakeholders. Even if they are not direct owners of the asset, the secondary stakeholders still stand to be affected should a loss happen. They can also react in a way that can further affect the primary stakeholders.
In the FAIR framework, there is no determined formula for the losses of the secondary stakeholders. They can only be expressed if they flow directly from the primary stakeholders.
The risk analysis in the public perspective is not yet included in this breakdown. A separate computation can be set for public impact.
Informed Choices using Probabilities
A perfect way to combat threats and to secure assets is the ideal scenario. But reality has several unpredictable complexities. FAIR offers a systematic way of defining and measuring the probabilities to develop intelligent decisions and contingencies.
By understanding the frequency and magnitude of loss presented by threat agents or communities, organizations can craft a strong defense against significant losses.
As discussed, precision is desired, but it is challenging to have an exact pinpointing of risks. Accuracy is the more critical aspect of managing risks. It is best to get it right to have informed choices.
The Workflow of the FAIR Framework
The Factor Analysis of Information Risk (FAIR) framework offers a logical approach to understanding and responding to risk. In a nutshell, it provides the following guidance for decision-makers:
A taxonomy and detailed nomenclature for the different aspects of information risk. By defining standards, a baseline is set for problem-solving.
- A system of measuring the factors that comprise risks such as threats, vulnerability and loss magnitude.
- A computational methodology to understand the relationships of the risks
- A simulation model that lets us apply the taxonomy, measurements and computations as a reference to actual situations.
Expert Guidance in FAIR Training
RSI Security has years of experience and expertise to implement the best practices of FAIR risk management. Our team understands that organizations are built on hard work and keeping its security should be a top priority.
Significant penalties and losses can be avoided by appropriately managing risks. This is why it is essential not to leave anything to chance. When it comes to risk management, let our team of experts protect the security of your organization.