What is the best option for risk mitigation? Probabilistic analysis. The question shouldn’t be what’s possible, but rather what is most probable. In this educational article, we will unpack risk management, how to evaluate your assets, prioritize your threats, and how to use the fair risk methodology to limit quantified risks.
What is Risk Management?
Risk management is the science of identifying, evaluating, and prioritizing risks to minimize any negative impacts or maximize opportunities. The FAIR risk institute defines risk management as “the combination of personnel, policies, processes, and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure.”
Every company has exposure to risk and dealing with it effectively can become a competitive advantage. The fair risk institute highlights that your risk management strategy must be cost-effective and quantifiable to gain the edge.
Effective risk management requires one or more quantitative risk-based objectives. It is impossible to avoid all risk. Leading organizations don’t rely solely on implicit risk management, but explicit management by quantifying the asset, the threat, and the risk.
The Value of the Asset
The importance of an asset is determined by either the value it provides or by the liability it could produce. For instance, the data of a well-managed CRM can produce value to an organization in terms of generating revenue. That same information could be a liability if certain personal data is disclosed, leading to legal action.
The fair risk assessment defines the value of an asset using the below criteria:
Is the asset critical?
If the asset had to fail, would it affect the ability of the business to continue providing services to its clientele? There is a great difference in threat allocation between your key service operations and your support operations. If the asset is critical, it needs to be protected accordingly.
What is the cost of the asset?
What is the cost of replacing this asset if it were compromised? The cost of an asset must consider all of the items attributed to its purchase and the cost of putting it to use. Assets of significant financial value need to be considered greater than those which would be cheap to replace.
Is the asset sensitive?
The question here relates to reputational damage. If the asset has the potential to cause harm to the brand, it is of great importance. If sensitive customer information is leaked, the result can be severe. Recently Zoom had 500+ million user email addresses hacked and this has caused significant brand damage.
When these questions are left unanswered, an asset can be compromised and lead to a loss. The fair risk assessment defines loss as either:
- Productivity losses: when an organization can no longer effectively produce goods or services for their clients
- Replacement costs: financial expense to repair a compromised asset
- Judgment costs: costs associated with legal proceedings deriving from the event
- Lost competitive advantage: where an opportunity is missed due to the incident
- Reputational loss: where a potential sale is lost due to the deteriorating corporate image
The Severity of the Threat
Threats can come in many shapes and forms and cause a variety of different issues on an asset. The fair risk assessment defines the following as the most common threats.
- Violation of access rights where data can be read without the relevant authorization
- The misuse of the asset without predicated authorization
- Disclosing of an asset’s information which allows other unauthorized parties to access the sensitive data
- Unauthorized modification of the asset
- Denial of access/use of the asset which renders the asset useless to the organization
Not every asset is created equal. Therefore, to mitigate risks, you need to understand the consequence of a compromise. For instance, an asset that is critical for production but isn’t sensitive would be compromised by a denial of access. Disclosure of the information wouldn’t pose a high threat as the information is classified as insensitive.
If the asset information is sensitive, it might result in legal issues if the data is disclosed. A healthcare organization, for example, may value patient data. This information isn’t critical for productivity but could be costly if disclosed.
There isn’t one solution that fits all. Instead, you need the right risk management consultants and use the fair risk assessment to accurately quantify your risks. After all, “You cannot manage what you don’t measure.”
What is the FAIR methodology risk assessment?
The Factor Analysis of Information Risk (FAIR) is a methodology that establishes an accurate probability for the frequency and severity of events.
The fair risk assessment does not focus on what risk is possible, but rather what is most probable given the circumstances. This probabilistic methodology can help organizations understand, analyze, and measure information risk more effectively.
According to the Whitman & Mattord (2013) model.
This assessment aims to create a framework for performing effective risk analysis to strengthen and complement existing processes.
Who needs a FAIR risk assessment?
Organizations with high asset values and severe threat vulnerabilities are perfect candidates for the fair risk assessment. By combining the probable frequency and probable loss, one can effectively measure the threat priority.
How to Manage Risk using the FAIR risk assessment model?
The fair risk institute provides a simple framework for effectively managing risk at all levels within an organization. Their framework aims to limit risks by managing the following five elements:
Cost-effective risk management
An effective program needs to work within a manageable budget. Unfortunately, not every risk can be mitigated, and sometimes business leaders need to balance the scale of impact vs cost.
To prioritize which risk is mitigated, business leaders need to have the necessary information and weighting of each risk to make an informed decision.
Once a business leader has the right prioritizes in place, they need to see which options of mitigation they have and how these options compare.
Most decisions will have a quantifiable financial impact and this needs to be measured and conveyed to all the stakeholders to get their buy-in and cooperation.
Your risk management strategy is only as good as the model you use to quantify which risk is a priority. If your model isn’t accurate or can’t scale in real-life, it won’t provide the return on investment you need.
The fair risk assessment has proven a successful methodology for effective risk management. Many companies are outsourcing the complexities of risk management to consulting firms who have a specialized understanding of risk mitigation. We at RSI Security we have a team of qualified, experienced, and highly knowledgeable risk management specialists.