Managing Risk More Effectively with FAIR
Managing cyber risk is a top priority for organizations across the globe, irrespective of the size or industry. According to Juniper research, cyber crimes have accounted for losses in trillions of dollars with the amount estimated to be in the trillions in 2019 and expected to grow in the future. As the threat of cyber risk grows, so does the need to quantify and manage it effectively. Organizations today need to understand the cyber risk in business terms to focus their resources on risks that matter the most and make decisions based on a reliable and meaningful risk assessment.
Risk Measurement Challenges
Conventional risk measurement approaches today don’t provide the information that’s needed to make well-informed decisions to manage risk. Obtaining a reliable cyber risk measurement is hindered by three core factors:
Imprecise Terminology: A fundamental issue with measuring risk starts with lack of defined terminology. Even basic terms such as Risk and Threat are used inconsistently. This makes it difficult to assess the risk reliably or communicate its impact effectively.
Undefined Scope: Many existing risk measurement frameworks use qualitative methods such as rank (High, Medium, Low) or ordinal scales (1-10). Often times, the assumptions that go into the rating are subjective and are not clearly understood. This makes it difficult to understand the true scope of risk. What does High Risk really mean? How are two risk scenarios in the High category compare? Even if the measurements are correct, they present issues with prioritization.
Inaccurate Models: The quality of risk measurement is heavily dependent on the understanding of complex interplay of risk factors and underlying models by risk practitioners. The source and accuracy of the models used need to be validated to ensure they can be trusted. Combined with imprecise terminology and lack of scope, the likelihood of precise and reliable risk measurement is not very high.
Why FAIR?Measuring risk qualitatively does not adequately address the risk management needs of today’s organizations. To measure risk more precisely and reliably, a different approach is needed. The FAIR Institute proposes FAIR (Factor Analysis of Information Risk), an open standard risk model that offers a quantitative approach to measuring and managing risk. It provides a framework for understanding and quantifying risk in financial terms. This establishes a solid foundation for managing risk more effectively by enabling organizations to make well-informed decisions rooted in the business context.The FAIR model overcomes imprecision and lack of scope shortcomings of traditional frameworks by defining risk more accurately by framing it in terms of loss events (example: a phishing campaign conducted by hackers that can lead to a database breach and loss of sensitive customer data and corporate information). The loss event scenarios are assessed in concrete terms:
Frequency – how likely they are to take place within a time interval
Magnitude – how much impact they may have in financial terms.
Using this framework, risk practitioners are able to measure risk more precisely and communicate its impact more clearly.
FAIR has been selected by the Open Group global consortium as the international standard information risk management model. The consortium is supported by more than 700 member organizations, including many leading technology vendors, world’s largest enterprises, government organizations, and academic institutions.
How can an enterprise use FAIR?
A good place to begin is to develop taxonomy of loss event scenarios, starting with the CIA triad (Confidentiality, Integrity, and Availability). We will focus on Confidentiality for our example, as that is the most relevant for cybersecurity. The next step is to add asset categories at risk and corresponding assets, e.g. IP (Code, Patents, Designs, ...). This is where unique industry and organizational differences will start to show and each organization's risk may vary based on what matters to them.
As the next step, threat landscape should be added, beginning with threat component categories, e.g. Employee, Outsider, etc. Threat components need to be added next to expand the threat landscape until sufficient level of granularity is reached. There should be enough detail included without making the model too complex and going past the point of diminishing returns.
With the risk scenario taxonomy complete, any enterprise will need to identify risk scenarios that are relevant to the organization and mark them in the matrix with “x”.
At this point, the enterprise will need to do a quick qualitative analysis on the scenarios marked with “x” to identify risk scenarios that represent the most risk (highlighted in red). This helps identify the assets the enterprise most cares about. Now, a full-fledged, quantifiable FAIR analysis can be conducted, using Monte Carlo simulation, on risk scenarios that represent the most risk in order to calibrate what’s in the matrix and figure out what matters the most to the organization.
Using Monte Carlo simulation will account for the inevitable variance of real-life data, and will require a range of inputs for event frequency and loss magnitude corresponding to each risk scenario (Min, Max, Most Likely). The resulting risk calculation is a bell-shaped curve that shows the probability of various amounts of loss between minimum and maximum amounts and offers additional insights, e.g. Average and Most Likely amounts of loss. The horizontal axis shows probable amount of losses and the vertical axis displays how many scenarios would result in these losses. With the risk assessment expressed in financial terms, decisions based on reliable cost-benefit analysis and impact of risk on the business can be made.
What to look out for?
This process of quantifying risk will establish the baseline risk assessment for the organization. Using the baseline, cost-benefit analysis can be conducted to evaluate available risk reduction options. To make this analysis meaningful for your organization, real data for the risk scenarios needs to be used. Relying on industry statistics will not result in an accurate or reliable evaluation of risk exposure for the organization. Moreover, the resulting baseline representation will be not be useful in calculating the effect of deploying risk remediation measures, since pre and post-event data needs to originate from the same source to provide a valid comparison.
Evaluating a Security Initiative Investments Using FAIR
The loss event scenario matrix developed above can be used to objectively evaluate an investment in security technologies or processes. Let’s consider for example that you are planning to invest in a data security solution to decrease the risk of a data breach that could result in a loss of PII or PCI assets (customer names, social security and credit card numbers). A pre-investment baseline can be established using the threat landscape matrix and FAIR estimates for loss event scenarios and likely financial impact of a data breach prior to any investments.
The next step is to apply FAIR to get a quantitative estimate of the financial impact of data breaches post the investment. As part of this process, we may conclude that investing in the solution from the data security vendor may result in the loss frequency to be reduced by 85%, leading to lower magnitude of loss of $2M. The resulting risk assessment is presented in financial terms and allows a vendor solution to be evaluated on the basis of the ROI, taking subjectivity out of consideration. If the ROI meets the required threshold for the organization, the solution deployment should proceed.
FAIR is a Complementary Risk Assessment Framework and not meant to replace other efforts
FAIR quantitative risk analysis is complementary to existing risk management frameworks. It offers an open standard risk quantification model and methodology that can be leveraged in addition to other frameworks. A quantitative approach is valuable for analyzing the organization’s risk profile and calculating effects that risk treatments will have on it. Understanding risk profile in financial terms helps organizations prioritize risk more effectively, enabling them to focus resources on those risks that are most likely to occur and cause the largest impact. It also helps evaluate security investments on a more objective basis around how it might tangibly shape risk reduction efforts. The result is a more effective and impactful risk management strategy.