risk analysis webinar
DESCRIPTION
Introduction to FAIRFactor Analysis of Information RiskbyPatrick Florer, Principal ConsultantApril 28,TRANSCRIPT
© 2010 Aliado Accesso LLC
Introduction to FAIR
Factor Analysis of Information Riskby
Patrick Florer, Principal Consultant
April 28, 2010
© 2010 Aliado Accesso LLC
Let’s talk about risk
risk (rĭsk) [French risque, from Italian risco, rischio.]
1. The possibility of suffering harm or loss; danger.
2. A factor, thing, element, or course involving uncertain danger; a hazard.
3. The danger or probability of loss to an insurer.
4. The amount that an insurance company stands to lose.
5. The variability of returns from an investment.
6. The chance of nonpayment of a debt.
7. One considered with respect to the possibility of loss: a poor risk.
from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company
Factor Analysis of Information Risk (FAIR)Definition of Risk
© 2010 Aliado Accesso LLC
risk:
Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.
from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001
Factor Analysis of Information Risk (FAIR)Definition of Risk
© 2010 Aliado Accesso LLC
risk:
The probable frequency and probable magnitude of future loss.
from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC
Factor Analysis of Information Risk (FAIR)Definition of Risk
© 2010 Aliado Accesso LLC
The net mission impact considering:1. The probability that a particular threat-source will exercise accidentally
trigger or intentionally exploit) a particular information system vulnerability2. The resulting impact if this should occur.
IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or
destruction of information2. Unintentional errors and omissions3. IT disruptions due to natural or man-made disasters4. Failure to exercise due care and diligence in the implementation and
operation of the IT system.
from NIST Special Publication 800-30
Factor Analysis of Information Risk (FAIR)IT – Related Risk
© 2010 Aliado Accesso LLC
And now, let’s talk briefly about a few other concepts that will be important in helping
you to understand FAIR
© 2010 Aliado Accesso LLC
What’s the difference?
Possibility –
“capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true”
Probability –
“The likelihood that a given event will occur”
And, in statistics -
“A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences”
(All quotes from the American Heritage Dictionary of the English Language, Fourth Edition)
Factor Analysis of Information Risk (FAIR)Possibility vs. Probability
© 2010 Aliado Accesso LLC
Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen.
Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes
Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4)
Probability calculations require data – either actual/historical or estimates
Factor Analysis of Information Risk (FAIR)Possibility vs. Probability
© 2010 Aliado Accesso LLC
Using a coin as an example …
The possibilities are …
The probabilities are …
Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss.
Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times.
Factor Analysis of Information Risk (FAIR)Possibility vs. Probability
© 2010 Aliado Accesso LLC
What’s the difference?
Precision –
“the ability of a measurement to be consistently reproduced”
Accuracy –
“the ability of a measurement to match the actual value of the quantity being measured”
(All quotes from the American Heritage Dictionary of the English Language, Fourth Edition)
Factor Analysis of Information Risk (FAIR)Precision vs. Accuracy
© 2010 Aliado Accesso LLC
Why does this matter?
Precise Accuracy –
This would be great, but it is often not achievable.
Precision –
For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell youthe wrong time.
Accuracy –
My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances.
Factor Analysis of Information Risk (FAIR)Precision vs. Accuracy
© 2010 Aliado Accesso LLC
What’s the difference?
Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc.
Good for some types of quick assessments and quick prioritizations.
But -
Variability in assessment is a problem, both between different assessors and with the same assessor over time.
Qualitative assessments cannot be manipulated arithmetically.
Qualitative scales are problematic near the boundaries.
Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number?
Factor Analysis of Information Risk (FAIR)Qualitative vs. Quantitative Methods
© 2010 Aliado Accesso LLC
What’s the difference?
Quantitative –
Uses cardinal numbers – everyone understands numbers
3 means 3 and $100k means $100k.
You can add, subtract, or do whatever you wish with numbers –you don’t have to guess!
But –
Quantitative approaches require data, either actual/historical, or estimated.
This may or may not be as big a problem as you might think!
Factor Analysis of Information Risk (FAIR)Qualitative vs. Quantitative Methods
© 2010 Aliado Accesso LLC
What’s the purpose of taking a measurement?
To reduce uncertainty .
Sometimes the “perfect” answer is unattainable.But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required.
How much do we need to reduce uncertainty?
Only as much as required by the decision at hand.
And if we cannot reduce uncertainty to that level, then what?
We can either collect more measurements, or work with what we have.
Factor Analysis of Information Risk (FAIR)Measurement
© 2010 Aliado Accesso LLC
What’s the difference?
“Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1
“Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1
1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48
Factor Analysis of Information Risk (FAIR)Variability and Uncertainty
© 2010 Aliado Accesso LLC
So, now that we have addressed all of that –What is FAIR?
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)Defensible Risk Analysis
Framework of interconnected models that describe how key elements of the
information risk landscape work.
Models that analyze the underlying dynamics of the information risk landscape.
Developed in 2001 and under continual evolution, FAIR was created by a CISO who
was trying to find answers to :
• How much risk do we have?
• How much less/more risk will we have if ...?
• What are our most significant issues?
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)Defensible Risk Analysis
Future development underway in 2009-2011 by Aliado Accesso:
Decision Analytics based upon the Value of Additional Information
Opportunity Risk applications
Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development)
Risk Analysis Training via CBT and Instructor-led courses
© 2010 Aliado Accesso LLC
Emphasis on Risk
Logical and Rational Framework
Quantitative
Flexible
Rigorous
Repeatable
Factor Analysis of Information Risk (FAIR)How is FAIR Different
© 2010 Aliado Accesso LLC
Prioritize risk issues for metric development and analysis
Identify and compare risk mitigation cost-benefit propositions
Design sophisticated what-if analyses
Business case development for security and risk management initiatives
Strategic development of a risk and security program while augmenting current risk frameworks
Opportunity Risk analysis
Breaking down communication barriers between business units and IT security enabling well-informed business decisions
Factor Analysis of Information Risk (FAIR)FAIR is being used to…
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
Scenario – a laptop is lost or stolen
1) Encryption, no sensitive data – small primary loss, no secondary loss
2) Encryption, sensitive data – small primary loss, no secondary loss
3) No encryption, no sensitive data – small primary loss, no secondary loss
4) No encryption, sensitive data – small primary loss, large secondary loss
The Relationship between Primary and Secondary Loss:
© 2010 Aliado Accesso LLC
Aliado Accesso Confidential and Proprietary
Copyright (c) 2010 Aliado Accesso, LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
© 2010 Aliado Accesso LLC
Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program.
Founded by security professionals who have designed and executed enterprise security programs.
Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education.
Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan.
Factor Analysis of Information Risk (FAIR)About Aliado
© 2010 Aliado Accesso LLC
Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program.
FAIR is a software and methodology for your on-going risk management program.
No more:• High/Medium/Low Categories • Checking Boxes for Frameworks• Implementing the Latest Security Software• Selling by FUD
Factor Analysis of Information Risk (FAIR)What Aliado does …
© 2010 Aliado Accesso LLC
© 2010 Aliado Accesso LLC
Payment Card Industry (PCI)
Privacy
Application Security
Data Loss Prevention (DLP/ILP)
Cloud Computing
Root Cause Analysis
Decision Analysis
Factor Analysis of Information Risk (FAIR)FAIR Decision Analysis Packages
© 2010 Aliado Accesso LLC
© 2010 Aliado Accesso LLC
FAIR Decision Analysis Offering - $995
For the month of May, we are offering a special promotion on our FAIRLiterisk analysis offering. This assessment includes the following:
Consult with you to perform a FAIRLite quantitative analysis of a single scenario.
Provide a written summary and verbal explanation of the results.
Within 6 months, provide a re-analysis of the same scenario with updated information for $295.
For more information or to sign up, please contact [email protected].
Factor Analysis of Information Risk (FAIR)FAIR Decision Analysis Offering
© 2010 Aliado Accesso LLC
Jody Keyser
www.aliadocorp.com
1-888-373-0680
Factor Analysis of Information Risk (FAIR)Contact Us
© 2010 Aliado Accesso LLC